Nginx 1.10 proxy https nail one nail

Source: Internet
Author: User
Tags openssl

Environment:

centos6.5

nginx:1.10

Openssl:1.0.1e-15


Test Sample One:


URL for Web Access HTTPS protocol Https://test.xx.com/demo


Nginx on certificate configuration, Proxy backend non-security protocol URL, for example: http://xx.xx.com/xx

server {

Listen 443;

server_name test.xxxx.com;

SSL on;

SSL_CERTIFICATE/ETC/NGINX/KEY_FILE/XXXX.CRT;

Ssl_certificate_key/etc/nginx/key_file/xxxx.key;

Ssl_session_timeout 5m;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:high:!anull:! md5:! rc4:! DHE;

Ssl_session_cache shared:ssl:50m;

Ssl_prefer_server_ciphers on;


Access_log/var/log/nginx/test.access.log;

Error_log/var/log/nginx/test.error.log;

Index index.html index.htm index.php index.jsp;


location/demo{

Proxy_pass Http://x.x.x.x/demo;

Proxy_redirect off;

Client_max_body_size 8m;

Proxy_set_header Host $host;

Proxy_set_header X-real-ip $remote _addr;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

Proxy_connect_timeout 60s;

}

}


Front-end Access Https://test.xx.com/demo

This mode allows normal backend server to access the page (data forwarding, and so on), but in the case of multi-style page debugging, there is a related style call error.



Test Sample two:


URL for Web Access HTTPS protocol Https://test.xx.com/demo


Nginx to open the certificate configuration, the URL of the proxy backend security protocol, for example: https://xx.xx.com/xx

server {

Listen 443;

server_name test.xxxx.com;

SSL on;

SSL_CERTIFICATE/ETC/NGINX/KEY_FILE/XXXX.CRT;

Ssl_certificate_key/etc/nginx/key_file/xxxx.key;

Ssl_session_timeout 5m;

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:high:!anull:! md5:! rc4:! DHE;

Ssl_session_cache shared:ssl:50m;

Ssl_prefer_server_ciphers on;


Access_log/var/log/nginx/test.access.log;

Error_log/var/log/nginx/test.error.log;

Index index.html index.htm index.php index.jsp;


location/demo{

Proxy_pass Https://x.x.x.x/demo;

Proxy_redirect off;

Client_max_body_size 8m;

Proxy_set_header Host $host;

Proxy_set_header X-real-ip $remote _addr;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

Proxy_connect_timeout 60s;

}

}


This mode compares the consumption of back-end performance.

At this point: back-end server https://172.10.18.34:8443/mpweb access is OK,

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/07/21/wKiom1nDuA2BY-FsAAAlgKPRyJ4001.png-wh_500x0-wm_ 3-wmp_4-s_3108836126.png "title=" Bb.png "alt=" Wkiom1ndua2by-fsaaalgkpryj4001.png-wh_50 "/>

Front-end Access Https://test.xxxx.com/demo report 502 error, check access log

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/A5/D2/wKioL1nDuJHTqAjAAABBznnagao501.jpg-wh_500x0-wm_ 3-wmp_4-s_1205990215.jpg "title=" 23.jpg "alt=" Wkiol1ndujhtqajaaabbznnagao501.jpg-wh_50 "/>


An error occurred during the SSL protocol session between the agent and the backend server:

 [error] 7957#7957: *720292 ssl_do_handshake ()  failed  (ssl: error:100ae081: elliptic curve routines:ec_group_new_by_curve_name:unknown group error:1408d010:ssl  Routines:ssl3_get_key_exchange:ec lib)  while SSL handshaking to upstream,  client: 650) this.width=650; "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); Background-position:center;background-repeat: no-repeat;border:1px solid RGB (221,221,221); "alt=" Spacer.gif "/>x.x.x.x, server: 650" this.width=650; " Src= "Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style= "Background-image:url ("/e/u261/lang/ Zh-cn/images/localimage.png "); background-position:center;background-repeat:no-repeat;border:1px solid RGB ( 221,221,221); "alt=" Spacer.gif "/>test.huiepay.com, request: " get /favicon.ico http/1.1 ",  upstream:  "650" this.width=650; "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); Background-position:center;background-repeat: no-repeat;border:1px solid RGB (221,221,221); "alt=" Spacer.gif "/>https://172.10.18.34:8443/favicon.ico",  host:  "650" this.width=650; "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); Background-position:center;background-repeat: no-repeat;border:1px solid RGB (221,221,221); "alt=" Spacer.gif "/>test.xxxx.com", referrer:  "650) this.width=650, "src=" Http://blog.51cto.com/e/u261/themes/default/images/spacer.gif "style=" Background-image:url ("/e/u261/lang/zh-cn/images/localimage.png"); background-position:center;background-repeat:no-repeat;border:1px Solid RGB (221,221,221); "alt=" Spacer.gif "/>https://test.xxxx.com/mpweb"  


By testing the sample one can be drawn, to troubleshoot the backend server problem, is still a proxy error.


By Elliptic Curve Routines:EC_GROUP_new_by_curve_name:unknown GROUP "Judging by this error message, you can tell: what version of OpenSSL


650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M01/07/21/wKiom1nDt7zQVre3AADBnHS2u2M627.jpg-wh_500x0-wm_ 3-wmp_4-s_400616500.jpg "title=" aa.jpg "alt=" Wkiom1ndt7zqvre3aadbnhs2u2m627.jpg-wh_50 "/>

After upgrading OpenSSL

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/A5/D2/wKioL1nDuSvAGv_iAAAgX4NdPBQ770.png-wh_500x0-wm_ 3-wmp_4-s_775386185.png "title=" 21.png "alt=" Wkiol1ndusvagv_iaaagx4ndpbq770.png-wh_50 "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

Access to normal

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/07/21/wKiom1nDua6jtTZgAAAfDdBcRI8968.jpg-wh_500x0-wm_ 3-wmp_4-s_3691773793.jpg "title=" 12.jpg "alt=" Wkiom1ndua6jttzgaaafddbcri8968.jpg-wh_50 "/>


Summary: In the case of Nginx proxy SSL, there are two modes:


1. Proxy backend non-SSL URL

2, Agent back-end SSL URL, this method must pay attention to the version of OpenSSL, the log will be detailed instructions, upgrade to the latest version of OpenSSL and try again.




This article is from "Welcome to Wenchy Blog" blog, please be sure to keep this source http://wenchylinux.blog.51cto.com/1340633/1967623

Nginx 1.10 proxy https nail one nail

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.