Can you please give some idea how to fix the following issue ? how I can pass domain name in the upstream request instead of ip address ?
Issue : Issue happening when i am using https. Request to upstream going as https//111.222.333.444:443/ How to pass the request as https://example.com instead of ip ? With ip its not able to connect to https because ssl is ceritified fir domain not for ip. So i am getting not trusted ssl exception.
Error :
2016/10/17 13:04:05 [error] 4600#2548: *238 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: x.x.x.x, server: nginxserver.com, request: "GET /leportal/lep/login.do HTTP/1.1", upstream: "https://x.x.x.x:443/app", host: "nginxserver.com"
Nginx.conf
worker_processes 1;
error_log logs/error.log info;
events {
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
upstream backend {
server backendserver.com:443;
}
server {
listen 443;
server_name nginxserver.com;
ssl on;
ssl_certificate /certificate/006.crt;
ssl_certificate_ /certificate/006-decrypted.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
keepalive_timeout 70;
location /leportal {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://backend;
proxy_ssl_trusted_certificate /certificate/certificate004.crt;
#proxy_ssl_certificate /certificate/public004.pem;
proxy_ssl_certificate_key /certificate/keyfile004-decrypted.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Thanks and Regards,
Mihir Ranjan Das
Email : midas@ebay.com
Phone : +1 425-273-8397
Issue : Issue happening when i am using https. Request to upstream going as https//111.222.333.444:443/ How to pass the request as https://example.com instead of ip ? With ip its not able to connect to https because ssl is ceritified fir domain not for ip. So i am getting not trusted ssl exception.
Error :
2016/10/17 13:04:05 [error] 4600#2548: *238 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: x.x.x.x, server: nginxserver.com, request: "GET /leportal/lep/login.do HTTP/1.1", upstream: "https://x.x.x.x:443/app", host: "nginxserver.com"
Nginx.conf
worker_processes 1;
error_log logs/error.log info;
events {
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
upstream backend {
server backendserver.com:443;
}
server {
listen 443;
server_name nginxserver.com;
ssl on;
ssl_certificate /certificate/006.crt;
ssl_certificate_ /certificate/006-decrypted.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
keepalive_timeout 70;
location /leportal {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://backend;
proxy_ssl_trusted_certificate /certificate/certificate004.crt;
#proxy_ssl_certificate /certificate/public004.pem;
proxy_ssl_certificate_key /certificate/keyfile004-decrypted.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Thanks and Regards,
Mihir Ranjan Das
Email : midas@ebay.com
Phone : +1 425-273-8397