I am trying to use nginx as a reverse proxy to web logic with two way SSL/mutual SSL.
Client <= Two way SSL => NGINX <= Two Way SSL => WebLogic server
Client to NGINX two way SSL works fine but getting below errors on upstream connecting to web logic.
nginx debug log:
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: -1 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 2 2014/08/16 22:40:53 [debug] 33741#0: timer delta: 5 2014/08/16 22:40:53 [debug] 33741#0: posted events 0000000000000000 2014/08/16 22:40:53 [debug] 33741#0: worker cycle 2014/08/16 22:40:53 [debug] 33741#0: kevent timer: 59840, changes: 0 2014/08/16 22:40:53 [debug] 33741#0: kevent events: 2 2014/08/16 22:40:53 [debug] 33741#0: kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53 [debug] 33741#0: *9 kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 1 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 1 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream client: localhost, server: localhost, request: "GET /customers/~/xxxx/~/xxx/health HTTP/1.1", upstream: "https://xx.xx.xx.xxx:11211/customer-upstream/~/xxx/~/xxx/health/", host: "localhost:12121"
Here is my nginx configuration for upstream:
proxy_cache_path /opt/openresty/nginx/cache levels=1:2 keys_zone=data-cache:8m max_size=1000m inactive=600m;
proxy_temp_path /opt/openresty/nginx/cache/tmp;
upstream rs_backend {
server xx.xx.xx.xxx:11211;
}
server {
server_name localhost;
listen 12121 ssl;
ssl on;
ssl_verify_client on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#ssl_protocols TLSv1;
#ssl_ciphers SSL_RSA_WITH_RC4_128_MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
#ssl_ciphers HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
ssl_prefer_server_ciphers on;
proxy_ssl_session_reuse off;
large_client_header_buffers 4 32K;
ssl_certificate /etc/ssl/api-cert.pem;
ssl_certificate_key /etc/ssl/api-cert.key;
ssl_client_certificate /etc/ssl/api-cert.pem;
location /customers/
{
rewrite ^/customers/(.*) /customer-upstream/$1/ break;
proxy_redirect off;
proxy_ssl_verify on;
proxy_ssl_verify_depth 4;
proxy_ssl_trusted_certificate /etc/ssl/api-cert-nopass.pem;
proxy_pass_header Server;
proxy_http_version 1.1;
proxy_set_header Connection Keep-Alive;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host localhost:11211;
proxy_set_header Accept 'application/json;v=3';
proxy_pass https://xx.xx.xx.xxx:11211/;
#proxy_pass https://rs_backend;
}
I tried various options including commenting out below configs.
proxy_ssl_verify on; proxy_ssl_verify_depth 4;
If I try using openssl c_client command line, I am able to connect and get 2xx response for HTTP GET request.
openssl c_client -connect xx.xx.xx.xxx:11211 -cert api-qaid-nopass.pem
Any help would be appreciated.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 老娘就宠你 的文章《nginx reverse proxy with two way SSL to weblogic》','https://www.manongdao.com/article-384823.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}