skip to Main Content

I am trying to proxy-pass traffic, over HTTP, from nginx to an old web server in my lab.
The old web server have an old self-signed certificate using TLSv1 and cipher RSA-PSK-AES128-CBC-SHA.

This is my current nginx config:

server {
    listen 80;
    server_name _;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    location ~ ^/(.*)$ {
        proxy_pass https://my-server:443/$1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_ssl_verify off;
    }
}

Sendig requests to the server I get status error 502, and in the nginx error.log, I see the following error:

2024/02/13 13:53:18 [error] 12#12: *1 SSL_do_handshake() failed (SSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled) while SSL handshaking to upstream, client: 192.168,1,122, server: _, request: "GET / HTTP/1.1", upstream: "https://my-server:443/", host: "192.168,1.25:80"

Updating the old self signed certificate is not an option.

I tried updating multipe nginx directives with no success.

Any suggestions on how to proceed?

2

Answers


  1. Chosen as BEST ANSWER

    The solution was to add the following nginx directive:

    proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;
    

    So this is my new config:

    server {
        listen 80;
        server_name _;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        location ~ ^/(.*)$ {
            proxy_pass https://my-server:443/$1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_ssl_verify off;
            proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;
        }
    }
    

    Seems like UnsafeLegacyRenegotiation is disabled by default on openssl conf on most newer systems, and using the proxy_ssl_conf_command it's possible to update the configuration for nginx easily.


  2. I encountered the same problem, however, my version of Nginx does not have the proxy_ssl_conf_command directive (it was added in version 1.19.4)

    As an additional workaround, you can change the openssl configuration in /usr/lib/ssl/openssl.cnf and add:
    Options = UnsafeLegacyRenegotiation to the [system_default_sect] section

    looked here: https://github.com/Kong/insomnia/issues/4543#issuecomment-1126771807

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search