2

I've looked at some examples but I really can't figure out why ssl wont work. My situation:

First of all I have a rails application with passenger, the normal application works with nginx, no problem there. I would like to add ssl support on some paths (for example /admin or /config). I've self signed my certificate because the url's will be used by a android application to send data secure to the server, this is the only reason why I need SSL support.

From what I understand is that I should enable both HTTP and HTTPS on nginx and let the rails application decide whether to use HTTP or HTTPS (correct me if I'm wrong). So how should my nginx configuration look like to allow both HTTPS and HTTP on the same IP/address? I've used the following command's to generate my certificates:

openssl req –new -x509 –keyout private/cakey.pem –out cacert.pem
openssl req –new –out newcert/webserver-cert/pem –keyout private/webserver-key.pem
echo '01' > serial
touch index.txt
openssl ca –cert cacert.pem –keyfile private/cakey.pem –out certs/webserver-cert.pem –in newcerts/webserver-cert.pem

Now I dont know if this is the right way to do it, any help on this would also be welcome :)

Thanks!

UPDATE

This is my current configuration, when I use https I get the following error: "SSL connection error"

root@event-backend:/opt# cat /opt/nginx/conf/nginx.conf

worker_processes 1;
error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    passenger_root /usr/local/rvm/gems/ruby-1.9.3-p194@rails32/gems/passenger-3.0.12;
    passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.3-p194@rails32/ruby;

    include       mime.types;
    default_type  application/octet-stream;

    #access_log  logs/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

   server {
        listen 80;

        server_name 192.168.20.32;
        root /opt/bap-backend/public;

        location ~ .php$ {
                fastcgi_split_path_info ^(.+\.php)(.*)$;
                fastcgi_pass 192.168.20.32:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME /opt/www$fastcgi_script_name;
                include fastcgi_params;
        }

        passenger_enabled on;
   }

   server {
        listen 443 ssl;

        server_name 192.168.20.32;
        root /opt/bap-backend/public;

        #SSL options
        ssl_certificate         /opt/certificate/server.crt;
        ssl_certificate_key     /opt/certificate/server.key;

        location / {
                proxy_set_header X-FORWARDED_PROTO $scheme;
        }
        ssl_session_timeout 5m;
        ssl_protocols SSLv2 SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

        passenger_enabled on;
   }

}

Is this normal or is this because I didnt change anything in my rails application?

LOGS

root@event-backend:/opt# netstat --tcp --listening --programs
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN      392/sendmail: MTA:
tcp        0      0 *:https                 *:*                     LISTEN      8799/nginx
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN      226/mysqld
tcp        0      0 localhost.lo:submission *:*                     LISTEN      392/sendmail: MTA:
tcp        0      0 *:www                   *:*                     LISTEN      8799/nginx
tcp        0      0 *:ssh                   *:*                     LISTEN      213/sshd
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      213/sshd


root@event-backend:/opt# cat nginx/logs/error.log

2012/05/11 07:44:29 [notice] 1562#0: signal 15 (SIGTERM) received, exiting
2012/05/11 07:44:29 [notice] 1564#0: exiting
2012/05/11 07:44:29 [notice] 1564#0: exit
2012/05/11 07:44:29 [notice] 1562#0: signal 17 (SIGCHLD) received
2012/05/11 07:44:29 [notice] 1562#0: worker process 1564 exited with code 0
2012/05/11 07:44:29 [notice] 1562#0: exit
2012/05/11 07:44:29 [notice] 8756#0: using the "epoll" event method
2012/05/11 07:44:29 [notice] 8756#0: nginx/1.0.15
2012/05/11 07:44:29 [notice] 8756#0: built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5)
2012/05/11 07:44:29 [notice] 8756#0: OS: Linux 2.6.32-6-pve
2012/05/11 07:44:29 [notice] 8756#0: getrlimit(RLIMIT_NOFILE): 1024:1024
2012/05/11 07:44:29 [notice] 8799#0: start worker processes
2012/05/11 07:44:29 [notice] 8799#0: start worker process 8801

root@event-backend:/opt/nginx/sbin# ./nginx -V
nginx version: nginx/1.0.15
built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --add-module=/usr/local/rvm/gems/ruby-1.9.3-p194@rails32/gems/passenger-3.0.12/ext/nginx --with-http_ssl_module

UPDATE 2

There was a firewall doing some crazy stuff, now I can use https but I find in my logs the following errors:

root@event-backend:/opt# cat nginx/logs/error.log

2012/05/11 12:48:15 [info] 14713#0: *229 client closed prematurely connection while SSL handshaking, client: 192.168.20.1, server: 192.168.20.32
2012/05/11 12:48:15 [info] 14713#0: *230 client closed prematurely connection while SSL handshaking, client: 192.168.20.1, server: 192.168.20.32
2012/05/11 12:48:15 [error] 14713#0: *231 directory index of "/opt/bap-backend/public/" is forbidden, client: 192.168.20.1, server: 192.168.20.32, request: "GET / HTTP/1.1", host: "192.168.20.32"
DanFritz
  • 123
  • 5

1 Answers1

2

All you need is a second server { block that's configured for SSL on port 443.

You'll want a listen 443 ssl; directive and directives pointing to your public and private keys; ssl_certificate /path/to/webserver-cert.pem; and ssl_certificate_key /path/to/webserver-key.pem;.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • What about the server_name and root? should I re add them or define them again or something or just make a new server and only specifie the ssl parameters? – DanFritz May 10 '12 at 08:37
  • You'll want the base config from the original `server` block as well. – Shane Madden May 10 '12 at 15:19
  • I've added my configuration, I still have an error, can you look at it? Thanks alot! – DanFritz May 10 '12 at 20:58
  • Looks good. Any errors in the nginx log? Verify that it's listening on 443 with `netstat`? – Shane Madden May 10 '12 at 21:35
  • I've added the logs and also the error messages from different browsers, firefox errors seems to point at something. – DanFritz May 11 '12 at 05:59
  • Those errors indicate that it's trying to talk plain HTTP on the SSL port. What version of nginx are you on? Add `ssl on;` to the config if it's older than 0.7.14. Also, verify that the SSL module is enabled. – Shane Madden May 11 '12 at 06:20
  • Im at nginx 1.0.15 (latest) and the SSL mudule is enabled, Ive added nginx -V output to the logs in my original post – DanFritz May 11 '12 at 10:29
  • Those SSL errors might indicate some remaining issue with the firewall - what does the browser client display when that error comes up, or does it successfully connect? Maybe do a packet capture with Wireshark to find what's going on? – Shane Madden May 11 '12 at 15:41
  • Thanks alot for your help, I have it working now but there is still a problem (at the firewall side). But I know how to solve it! thanks again! – DanFritz May 11 '12 at 15:56