Nginx load balancer is hanging on SSL

load balancingnginxssl

I'm trying to get nginx to do load balancing across my web servers, while terminating SSL at the load balancer level. The nginx.conf file I'm using is based on all the guides for doing this exact thing yet I can't get it to work.
When going to standard HTTP, the load balancer works fine. However, when trying to access the load balancer via HTTPS the browser just hangs, eventually giving ERR_CONNECTION_REFUSED.

I see no errors in the logs, or even anything in the access logs when attempting HTTPS so I have no idea what the problem could be. I've tried lots of different configuration options, including trying different SSL certs, PEM encoding, bundling certs and so on all to no effect.

Here is the main part of the nginx.conf:

upstream backend {
    #web01
    server 10.01.01.102;
    #web02
    server 10.02.02.77;
}

#setup proxy
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# standard http server
server {
    listen 80;
    listen 4444;

    server_name *.example.com;

    location / {
        proxy_pass http://backend;
    }
}

#server for https requests
server {
    listen 443 ssl;

    server_name *.example.com;

    #ssl on;
    ssl_certificate /path/to/example.com.crt;
    ssl_certificate_key /path/to/example.com.key;

    location / {
        proxy_pass http://backend;
    }
}

Does anyone have any ideas? With no error output I'm not sure how to figure out what the issue is.

EDIT:

Still nothing in the logs when attempting to connect to HTTPS. The logs are setup and working when accessing the HTTP server (I get entries in the access log). Here is the relevant part of the nginx.conf file for the logs:

access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;

I just tested that the error log is working correctly and it is. I did so by removing the 'ssl_certificate' entry from the server block in the config file and then attempted to connect again. The error log (/var/log/nginx/nginx.vhost.error.log;) showed:

2014/09/23 13:41:28 [error] 10047#0: *9 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443.

I have put the ssl_certificate entry back, but I wanted to confirm the error logs are working. I also took a look through all the logs in /var/log and didn't see any errors related to nginx.

Best Answer

In the comments, you have verified that nginx process was running and telnet localhost 443 was working. But it doesn't mean that the outside party can reach your nginx. One layer you should check was firewall. It will inspect and drop the packet flowing to nginx if you don't allow rule to port 443.

Sidenote: Nginx error 400 Bad request, usually means that you telnet to nginx in https port but your request wasn't clear text or incomplete (e.g. no HTTP headers defined)

Related Topic