I am trying to proxy-pass
traffic, over HTTP, from nginx to an old web server in my lab.
The old web server have an old self-signed certificate using TLSv1 and cipher RSA-PSK-AES128-CBC-SHA.
This is my current nginx config:
server {
listen 80;
server_name _;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location ~ ^/(.*)$ {
proxy_pass https://my-server:443/$1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_ssl_verify off;
}
}
Sendig requests to the server I get status error 502, and in the nginx error.log
, I see the following error:
2024/02/13 13:53:18 [error] 12#12: *1 SSL_do_handshake() failed (SSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled) while SSL handshaking to upstream, client: 192.168,1,122, server: _, request: "GET / HTTP/1.1", upstream: "https://my-server:443/", host: "192.168,1.25:80"
Updating the old self signed certificate is not an option.
I tried updating multipe nginx directives with no success.
Any suggestions on how to proceed?
2
Answers
The solution was to add the following nginx directive:
So this is my new config:
Seems like UnsafeLegacyRenegotiation is disabled by default on openssl conf on most newer systems, and using the
proxy_ssl_conf_command
it's possible to update the configuration for nginx easily.I encountered the same problem, however, my version of Nginx does not have the proxy_ssl_conf_command directive (it was added in version 1.19.4)
As an additional workaround, you can change the openssl configuration in /usr/lib/ssl/openssl.cnf and add:
Options = UnsafeLegacyRenegotiation to the [system_default_sect] section
looked here: https://github.com/Kong/insomnia/issues/4543#issuecomment-1126771807