Unfortunately, I’m not a very system administrator and ran into a problem that made me hit my head against the wall.
In short, I run Nginx on EC2 (Ubuntu 14.04.4 LTS) to (a) host my marketing company’s website ( https://example.com , which, by the way, is Wordpress) and (b) serve as the opposite proxies for our Rails application running on Heroku (https://app.example.com) for specific paths. We use the same SSL certificate for example.com and app.example.com. All this worked great for 8-10 months, but I recently switched from Heroku paid SSL addon to a new free SSL offer, and now our reverse proxy server is broken.
When checking Nginx error logs, I see the following:
Error SSL_do_handshake () (SSL: error: 14094438: SSL routines: SSL3_READ_BYTES: internal warning error tlsv1: SSL warning number 80), while SSL acknowledgment for upstream client: ipaddress1, server: example.com, request: "GET / proxiedpath / proxiedpage HTTP / 1.1", upstream: "https: // ipaddress2: 443 / proxiedpath / proxiedpage", host: "Example.com"
I tried to find some additional recommendations - I updated Nginx (1.10.1) and OpenSSL (1.0.2h) with no luck. I suspected that the problem might arise due to the use of the Heroka IGRO in the new free SSL function ( https://devcenter.heroku.com/articles/ssl-beta ), but could not determine why this could be the problem.
A few additional points of my research up to this point:
When I switched to Heroku's new free SSL, I changed our app.example.com DNS record to point to app.example.com.herokudns.com as indicated in the docs. An application can usually be obtained through app.example.com, and when I run nslookup on app.example.com and app.example.com.herokudns.com, I get the same IP address. But...
I cannot access the application through the IP address returned from nslookup or app.example.com.herokudns.com. I suspect this is normal and expected, but I don’t know enough to say exactly why this is so. AND...
The IP address returned from nslookup does not match the IP address specified in the log error message above ("ipaddress2"). In fact, "ipaddress2" is not consistent across all magazines - it seems to change regularly. Again, I don’t know enough to know what I don’t know ... load balancing on the Heroku side?
And finally, my Nginx reverse proxy is configured as follows in nginx.conf:
http { client_max_body_size 500M; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; gzip_disable "msie6"; server { listen 443 default_server; server_name example.com; root /usr/share/nginx/html; index index.php index.html index.htm; ssl on; ssl_certificate mycompanycert.crt; ssl_certificate_key mycompanykey.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location / { try_files $uri $uri/ /index.php?q=$uri&$args; } location ^~ /proxiedpath/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_pass https://app.example.com/proxiedpath/; } } }
Any help is greatly appreciated - thanks a lot!
ssl reverse-proxy nginx configuration heroku
Bart
source share