2

I am trying to configure nginx (installed via macports) on my osx development machine. I am trying to reverse proxy localhost:12346/trade to a websocket connection which is available on port 12346 at /trade on a remote machine.

I am using the following nginx.conf file. It works when the SSL SECTION is commented out, but nginx will not start properly when it is uncommented. I have modeled the conf file on other questions and answers here, and from other sites. I've tried it 20 different ways, but as soon as I uncomment any of the SSL related lines, nginx wont start.

worker_processes  1;

events {
  worker_connections 20;
}

error_log /opt/local/etc/nginx/debug.log debug;

http {
  include       mime.types;
  default_type  application/octet-stream;

  #
  # Some default configuration.
  #
  sendfile           on;
  tcp_nopush         on;
  keepalive_timeout  65;

  #
  # A list with load balancing backends hashed on IP for sticky load balancing.
  #
  upstream backend {
    # ip_hash;

    server 123.456.78.90:12346;
  }

  server {
    listen       12346; # ssl used here when un-commented
    server_name  localhost;

    # SSL SECTION
    # ssl on;
    # ssl_certificate /opt/local/etc/nginx/server.crt;
    # ssl_certificate_key /opt/local/etc/nginx/server.key;
    # ssl_session_cache  builtin:1000  shared:SSL:10m;
    # 
    # ssl_session_timeout 5m;
    # ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    # ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    # ssl_prefer_server_ciphers   on;
    # END SSL SECTION

    #
    # Proxy settings
    #
    location /trade {
      proxy_pass http://backend/;
      proxy_redirect      off;
      proxy_set_header    Host              $host;
      proxy_set_header    X-Real-IP         $remote_addr;
      proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Proto $scheme;

      # WebSocket specific
      proxy_http_version 1.1;
      proxy_set_header    Upgrade           $http_upgrade;
      proxy_set_header    Connection        "upgrade";

      #
      # Specific for comet or long running HTTP requests, don't buffer up the
      # response from origin servers but send them directly to the client.
      #
      proxy_buffering     off;

      #
      # Bump the timeout's so someting sensible so our connections don't
      # disconnect automatically. We've set it to 12 hours.
      #
      proxy_connect_timeout 43200000;
      proxy_read_timeout    43200000;
      proxy_send_timeout    43200000;
    }
  }
}

Can anyone spot what I am doing wrong?

domoarigato
  • 221
  • 3
  • 4
  • Did you set the ssl option in the listen directive when uncommenting the SSL part ? – Xavier Lucas Oct 20 '14 at 14:15
  • yes, doesn't change anything. additionally, nothing gets dumped to the error log file in any case. – domoarigato Oct 20 '14 at 15:07
  • What does the error log says ? Are you sure your certificate and key are ok (check with OpenSSL) ? What's OpenSSL result if you set the cipher list from the command line ? If using ssl option with listen, remove `ssl on;`. – Xavier Lucas Oct 20 '14 at 15:11
  • The error log is empty. have tried it with ssl on; and not using ssl in the listen directive and vice versa. Not sure how to set the cipher list form the command line using MacPorts. The command to start nginx is `sudo port load nginx` ssl cert works with many other servers, though it is self signed. – domoarigato Oct 20 '14 at 15:21
  • Can't help you much about mac stuff, kind of a hater. On non commercial unix distros (here we go hehe), you could check that with `openssl ciphers `. But IMO it's probably an issue with your certificate and key, you should check them with OpenSSL too (`openssl x509 -in server.crt -text -noout` & `openssl rsa -in server.key -text -noout`). Did you also make sure to put both primary and chain certificate in the crt file as explained by [the documentation](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) ? – Xavier Lucas Oct 20 '14 at 15:42
  • did the openssl commands - not sure what I'd be looking for, but they both resulted in a long list of stuff (that's a technical term) in which I recognized that I am using SHA1. I did see that the docs say you should use a pem format certificate, so I tried that too. nothing – domoarigato Oct 20 '14 at 16:03

1 Answers1

2

Figured it out. With Macports you have to explicitly install nginx with ssl support using sudo port install nginx +ssl Stupid, I know - why would you ever install it without, and why would your flag start with +...

domoarigato
  • 221
  • 3
  • 4