Nginx 1.10 proxy https nail one nail

Last Update:2017-09-22 Source: Internet

Author: User

Tags openssl

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Environment:

centos6.5

nginx:1.10

Openssl:1.0.1e-15

Test Sample One:

URL for Web Access HTTPS protocol Https://test.xx.com/demo

Nginx on certificate configuration, Proxy backend non-security protocol URL, for example: http://xx.xx.com/xx

server {

Listen 443;

server_name test.xxxx.com;

SSL on;

SSL_CERTIFICATE/ETC/NGINX/KEY_FILE/XXXX.CRT;

Ssl_certificate_key/etc/nginx/key_file/xxxx.key;

Ssl_session_timeout 5m;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:high:!anull:! md5:! rc4:! DHE;

Ssl_session_cache shared:ssl:50m;

Ssl_prefer_server_ciphers on;

Access_log/var/log/nginx/test.access.log;

Error_log/var/log/nginx/test.error.log;

Index index.html index.htm index.php index.jsp;

location/demo{

Proxy_pass Http://x.x.x.x/demo;

Proxy_redirect off;

Client_max_body_size 8m;

Proxy_set_header Host $host;

Proxy_set_header X-real-ip $remote _addr;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

Proxy_connect_timeout 60s;

}

Front-end Access Https://test.xx.com/demo

This mode allows normal backend server to access the page (data forwarding, and so on), but in the case of multi-style page debugging, there is a related style call error.

Test Sample two:

URL for Web Access HTTPS protocol Https://test.xx.com/demo

Nginx to open the certificate configuration, the URL of the proxy backend security protocol, for example: https://xx.xx.com/xx

server {

Listen 443;

server_name test.xxxx.com;

SSL on;

SSL_CERTIFICATE/ETC/NGINX/KEY_FILE/XXXX.CRT;

Ssl_certificate_key/etc/nginx/key_file/xxxx.key;

Ssl_session_timeout 5m;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:high:!anull:! md5:! rc4:! DHE;

Ssl_session_cache shared:ssl:50m;

Ssl_prefer_server_ciphers on;

Access_log/var/log/nginx/test.access.log;

Error_log/var/log/nginx/test.error.log;

Index index.html index.htm index.php index.jsp;

location/demo{

Proxy_pass Https://x.x.x.x/demo;

Proxy_redirect off;

Client_max_body_size 8m;

Proxy_set_header Host $host;

Proxy_set_header X-real-ip $remote _addr;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

Proxy_connect_timeout 60s;

}

This mode compares the consumption of back-end performance.

At this point: back-end server https://172.10.18.34:8443/mpweb access is OK,

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/07/21/wKiom1nDuA2BY-FsAAAlgKPRyJ4001.png-wh_500x0-wm_ 3-wmp_4-s_3108836126.png "title=" Bb.png "alt=" Wkiom1ndua2by-fsaaalgkpryj4001.png-wh_50 "/>

Front-end Access Https://test.xxxx.com/demo report 502 error, check access log

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/A5/D2/wKioL1nDuJHTqAjAAABBznnagao501.jpg-wh_500x0-wm_ 3-wmp_4-s_1205990215.jpg "title=" 23.jpg "alt=" Wkiol1ndujhtqajaaabbznnagao501.jpg-wh_50 "/>

An error occurred during the SSL protocol session between the agent and the backend server:

[error] 7957#7957: *720292 ssl_do_handshake () failed (ssl: error:100ae081: elliptic curve routines:ec_group_new_by_curve_name:unknown group error:1408d010:ssl Routines:ssl3_get_key_exchange:ec lib) while SSL handshaking to upstream, client: 650) this.width=650; "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); Background-position:center;background-repeat: no-repeat;border:1px solid RGB (221,221,221); "alt=" Spacer.gif "/>x.x.x.x, server: 650" this.width=650; " Src= "Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style= "Background-image:url ("/e/u261/lang/ Zh-cn/images/localimage.png "); background-position:center;background-repeat:no-repeat;border:1px solid RGB ( 221,221,221); "alt=" Spacer.gif "/>test.huiepay.com, request: " get /favicon.ico http/1.1 ", upstream: "650" this.width=650; "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); Background-position:center;background-repeat: no-repeat;border:1px solid RGB (221,221,221); "alt=" Spacer.gif "/>https://172.10.18.34:8443/favicon.ico", host: "650" this.width=650; "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); Background-position:center;background-repeat: no-repeat;border:1px solid RGB (221,221,221); "alt=" Spacer.gif "/>test.xxxx.com", referrer: "650) this.width=650, "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); background-position:center;background-repeat:no-repeat;border:1px Solid RGB (221,221,221); "alt=" Spacer.gif "/>https://test.xxxx.com/mpweb"

By testing the sample one can be drawn, to troubleshoot the backend server problem, is still a proxy error.

By Elliptic Curve Routines:EC_GROUP_new_by_curve_name:unknown GROUP "Judging by this error message, you can tell: what version of OpenSSL

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/07/21/wKiom1nDt7zQVre3AADBnHS2u2M627.jpg-wh_500x0-wm_ 3-wmp_4-s_400616500.jpg "title=" aa.jpg "alt=" Wkiom1ndt7zqvre3aadbnhs2u2m627.jpg-wh_50 "/>

After upgrading OpenSSL

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/A5/D2/wKioL1nDuSvAGv_iAAAgX4NdPBQ770.png-wh_500x0-wm_ 3-wmp_4-s_775386185.png "title=" 21.png "alt=" Wkiol1ndusvagv_iaaagx4ndpbq770.png-wh_50 "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

Access to normal

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/07/21/wKiom1nDua6jtTZgAAAfDdBcRI8968.jpg-wh_500x0-wm_ 3-wmp_4-s_3691773793.jpg "title=" 12.jpg "alt=" Wkiom1ndua6jttzgaaafddbcri8968.jpg-wh_50 "/>

Summary: In the case of Nginx proxy SSL, there are two modes:

1. Proxy backend non-SSL URL

2, Agent back-end SSL URL, this method must pay attention to the version of OpenSSL, the log will be detailed instructions, upgrade to the latest version of OpenSSL and try again.

This article is from "Welcome to Wenchy Blog" blog, please be sure to keep this source http://wenchylinux.blog.51cto.com/1340633/1967623

Nginx 1.10 proxy https nail one nail

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More