Re: SSL handshake failure when using "send-proxy" on HTTPS backend
2015-12-07 13:26 GMT+01:00 Lukas Tribus : > True, but its always a good idea to simplify the configuration when > troubleshooting issues like this. For testing purposes therefor, you > should try with just one server declaration (e.g. what if nginx doesn't > propagate the proxy_protocol directive correctly due to a bug?). So, yeah, It was a bug on Nginx side : https://trac.nginx.org/nginx/ticket/858 > btw: you are using unencrypted backend traffic as well, whats the reason > to encrypt some but not all of the backend traffic? The application need to receive HTTP and HTTPS requests on separate ports. Thank you all :) -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72
RE: SSL handshake failure when using "send-proxy" on HTTPS backend
> Both listen directives on port 8443 uses SSL. > With Nginx, listening options must be specified on only one "listen" > directive for each address:port combination. > > So the "listen 10.0.80.1:8443" directive inherit parameters from > "listen 10.0.80.1:8443 default_server ssl proxy_protocol" True, but its always a good idea to simplify the configuration when troubleshooting issues like this. For testing purposes therefor, you should try with just one server declaration (e.g. what if nginx doesn't propagate the proxy_protocol directive correctly due to a bug?). To see if haproxy is behaving correctly tcpdump the failed SSL backend session and check out how it looks on the wire. Then you will have evidence whether haproxy or nginx is behaving incorrectly. btw: you are using unencrypted backend traffic as well, whats the reason to encrypt some but not all of the backend traffic? Regards, Lukas
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
2015-12-06 12:25 GMT+01:00 Lukas Erlacher : > I can't find an obvious error with this. When I tried combining SSL and > proxy protocol in Postfix, it didn't work due to a bug in Postfix. Maybe you > should try to ask an nginx support list instead. Thanks, I'll try that. -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
2015-12-06 16:14 GMT+01:00 PiBa-NL : > Hi, > > Ive never used nginx and have little experience with proxy_protocol.. But > could it be an issue that on the same port your both using and not using > proxy protocol? What happens if you remove the first server definition > there? > > server { > listen 10.0.80.1:8443; > server { > listen 10.0.80.1:8443 default_server ssl proxy_protocol; > > Just a thought.. Hi, See my previous response to Lukas Tribus. With Nginx, listening options must be specified only once for the same address+port combinations. -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
Hi, Ive never used nginx and have little experience with proxy_protocol.. But could it be an issue that on the same port your both using and not using proxy protocol? What happens if you remove the first server definition there? server { listen 10.0.80.1:8443; server { listen 10.0.80.1:8443 default_server ssl proxy_protocol; Just a thought.. Regards, PiBa-NL Op 6-12-2015 om 12:25 schreef Lukas Erlacher: Hi, On 12/04/2015 04:27 PM, Jonathan Leroy - Inikup wrote: 2015-12-04 13:23 GMT+01:00 Lukas Erlacher : Please show the nginx config. Hi Luke, Here's the Nginx config : https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt Thanks, I can't find an obvious error with this. When I tried combining SSL and proxy protocol in Postfix, it didn't work due to a bug in Postfix. Maybe you should try to ask an nginx support list instead. Best, Luke
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
Hi, On 12/04/2015 04:27 PM, Jonathan Leroy - Inikup wrote: 2015-12-04 13:23 GMT+01:00 Lukas Erlacher : Please show the nginx config. Hi Luke, Here's the Nginx config : https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt Thanks, I can't find an obvious error with this. When I tried combining SSL and proxy protocol in Postfix, it didn't work due to a bug in Postfix. Maybe you should try to ask an nginx support list instead. Best, Luke
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
Hi, 2015-12-04 17:02 GMT+01:00 Lukas Tribus : > Well, you will have to update the first config line in nginx: > set_real_ip_from fc00::/7 > > To allow proxy connection from the ULA range. Already done. > As to the original problem: > I don't think you can use both SSL and non-SSL on the same port (8443). > > The non-SSL server block should have a dedicated port, otherwise nginx > will never know what to expect (SSL vs non-SSL, proxy or not proxy). Both listen directives on port 8443 uses SSL. With Nginx, listening options must be specified on only one "listen" directive for each address:port combination. So the "listen 10.0.80.1:8443" directive inherit parameters from "listen 10.0.80.1:8443 default_server ssl proxy_protocol" -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72
RE: SSL handshake failure when using "send-proxy" on HTTPS backend
> 2015-12-04 16:27 GMT+01:00 Jonathan Leroy - Inikup : >> Hi Luke, >> >> Here's the Nginx config : >> https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt > > Now that I use ULA instead of link-local addresses, send-proxy no > longer works on HTTP backend... Well, you will have to update the first config line in nginx: set_real_ip_from fc00::/7 To allow proxy connection from the ULA range. As to the original problem: I don't think you can use both SSL and non-SSL on the same port (8443). The non-SSL server block should have a dedicated port, otherwise nginx will never know what to expect (SSL vs non-SSL, proxy or not proxy). Regards, Lukas
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
2015-12-04 16:27 GMT+01:00 Jonathan Leroy - Inikup : > Hi Luke, > > Here's the Nginx config : > https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt Now that I use ULA instead of link-local addresses, send-proxy no longer works on HTTP backend... -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
2015-12-04 13:23 GMT+01:00 Lukas Erlacher : > Please show the nginx config. Hi Luke, Here's the Nginx config : https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt Thanks, -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72
Re: SSL handshake failure when using "send-proxy" on HTTPS backend
Please show the nginx config. Best, Luke On 12/04/2015 03:30 AM, Jonathan Leroy - Inikup wrote: Hi, I have two backends named "nginx-http" and "nginx-https": the first one handle HTTP connections, the second one HTTPS connections. The proxy protocol works successfully on nginx-http backend: server server1 10.0.80.1:8080 send-proxy check check-send-proxy fall 3 inter 2s weight 10 But the same configuration doen't work on nginx-https backend ("SSL handshake failure"): server server1 10.0.80.1:8443 ssl send-proxy check check-send-proxy check-ssl ca-file /etc/ssl/certs/Certum_Trusted_Network_CA.pem cookie test1 fall 3 inter 2s weight 10 As soon has I remove the "send-proxy" and "check-send-proxy" directives everything works fine, so I think this is not an SSL-related issue. I use latest HAProxy and Nginx stables versions on Debian Jessie. SPDY is not activated on Nginx side. Thanks, smime.p7s Description: S/MIME Cryptographic Signature
SSL handshake failure when using "send-proxy" on HTTPS backend
Hi, I have two backends named "nginx-http" and "nginx-https": the first one handle HTTP connections, the second one HTTPS connections. The proxy protocol works successfully on nginx-http backend: server server1 10.0.80.1:8080 send-proxy check check-send-proxy fall 3 inter 2s weight 10 But the same configuration doen't work on nginx-https backend ("SSL handshake failure"): server server1 10.0.80.1:8443 ssl send-proxy check check-send-proxy check-ssl ca-file /etc/ssl/certs/Certum_Trusted_Network_CA.pem cookie test1 fall 3 inter 2s weight 10 As soon has I remove the "send-proxy" and "check-send-proxy" directives everything works fine, so I think this is not an SSL-related issue. I use latest HAProxy and Nginx stables versions on Debian Jessie. SPDY is not activated on Nginx side. Thanks, -- Jonathan Leroy http://www.inikup.com/ Tel: +33 (0)9 74 77 41 72