Nginx – SSL Termination with HAProxy and Nginx on Ubuntu

haproxynginxopensslsslubuntu-12.04

I've been following this tutorial:

http://www.exratione.com/2012/12/websockets-over-ssl-haproxy-nodejs-nginx/

…but I've been having problems connecting to Nginx through HAProxy via SSL.

I'm getting Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. in Chrome after the HTTP to HTTPS redirect and (Error code: ssl_error_rx_record_too_long) in Firefox.

I think it has something to do with the concatenation of files to create a .pem file.

Things I've tried:

  • Disabling HAProxy and accessing Nginx directly using SSL which works
  • Not using SSL on HAProxy to access Nginx, this also works
  • Creating new SSL certificates following these steps: http://wiki.nginx.org/HttpSslModule
  • Checking permissions on SSL certificate files

My Nginx configuration:

server {
    listen   8080 ssl; ## listen for ipv4; this line is default and implied

    root /usr/share/nginx/www;
    index index.html index.htm;

    server_name localhost;

    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ /index.html;
            # Uncomment to enable naxsi on this location
            # include /etc/nginx/naxsi.rules
    }

    location /doc/ {
            alias /usr/share/doc/;
}

I also have 3 SSL files:

  • /etc/ssl/certs/server.crt
  • /etc/ssl/private/server.key
  • both of which have been concatenated into /etc/ssl/server.pem key first cert second as the tutorial states.

To possibly further complicate things I'm running Ubuntu 12.04 on Vagrant.

Thanks,

Ash

Best Answer

OK there were a couple of problems with this.

The first is that I was enabling SSL in both HAProxy and Nginx which is unnecessary and would cause problems by itself. So I disabled SSL in my Nginx config and restarted.

The second problem was that I was attempting to access this server (which was on a Guest Virtual Machine) through localhost which worked partially because port 80 was being forwarded correctly. However when it came to redirecting HTTP traffic to HTTPS it would fail.

I'm guessing this is because HAProxy was redirect to another port.

Anyway accessing the server through the actual IP address works.

Related Topic