Using Nginx as a HTTPS reverse proxy
This is a similar answer to nginx as reverse proxy with upstream SSL. There are separate ssl settings to set the acceptable protocols for your upstream proxy
...
server {
listen 6003;
server_name example.com;
ssl on;
ssl_certificate /etc/nginx/certs/example.pem;
ssl_certificate_key /etc/nginx/certs/private.key;
... other settings
location / {
proxy_pass https://example.com:6003;
proxy_ssl_trusted_certificate /etc/nginx/certs/example.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
}
The three listed values for proxy_ssl_protocols are the current default set but they could conceivably change in future releases to remove TLSv1 and TLSv1.1.
Related videos on Youtube
16 : 43
10 : 43
09 : 50
17 : 12
11 : 54
Chris Edgington
Updated on September 18, 2022Comments
-
Chris Edgington over 1 year
I'm trying to setup an Nginx server to reverse proxy a tomcat web service (which I don't have access to). This is essentially because the Tomcat server is running TLSv1.0 so I'm trying to bump up the version.
However, when I try to access the proxy I'm getting a 502 error. The Ngnix logs are showing -
SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream.Here's my Nginx configuration -
ssl_certificate /etc/nginx/certs/public.pem; ssl_certificate_key /etc/nginx/certs/private.key; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; server { listen 6003; server_name example.com; ssl on; location / { proxy_pass https://example.com:6003; } }I've tried the same thing with Apache but see exactly the same error. Does anyone have any ideas?
-
Chris Edgington over 6 yearsThanks! I actually managed to get it working by using
proxy_ssl_protocols TLSv1only. Having the other two version in there gave me the same error, but removing them solved the problem,