I use proxy_pass to proxy local API requests to our dev servers, something like
proxy_pass https://dev-server.com/api
All of a sudden, it stops working with a "502 Bad Gateway" error in browser DevTool network. However I can access https://dev-server.com/api directly using web browser.
It is obvious that nginx upstream fails for some reason. I googled a lot, and most discussions are relating to nginx configuration. However, I didn't change anything to nginx configuration before it stops working. Something happened on api server side?
Yes, our api server turned off TLSv1.0 due to security concern. I checked my local nginx and openssl versions, and realized we have 2 options:
1. Upgrade openssl version
2. Rollback api server changes to allow TLSv1.0
$ /usr/local/nginx/sbin/nginx -v
nginx version: nginx/1.0.15
$ openssl version -a
OpenSSL 0.9.8zh 14 Jan 2016
built on: Jan 23 2017
platform: darwin64-x86_64-llvm
options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6
OPENSSLDIR: "/System/Library/OpenSSL"
How to enable TLSv1.2 in Nignx?
https://askubuntu.com/questions/319192/how-to-enable-tls-1-2-in-nginx
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
To have support for TLS 1.2 you need OpenSSL version 1.0.2 or 1.0.1. If you have only 1.0.0 or 0.9.8 you need to upgrade your OpenSSL. openssl 0.9.8 is Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
ReplyDelete