1

I am trying to troubleshoot 502 Bad Gateway errors logged by nginx (used as a load balancer) when communicating with our back-end Apache application servers. The nginx proxy_pass module is being used to configure nginx as a reverse proxy to a cluster of Apache servers, and when capturing traffic via tcpdump I am unable to decrypt the HTTPS communication between nginx and Apache because the cyphersuite in Wireshark is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and I do not have the ephemeral Diffie-Hellman pre-master key.

(The issue I am trying to debug is "upstream prematurely closed connection while reading response header from upstream" seen in nginx error log when there's no corresponding error in the Apache logs, making me suspect network issues causing the connection to be closed prematurely, or something)

Is there a way to make Nginx nog the Diffie-Hellman pre-master key when communicating with a proxy_pass backend over SSL? If not, is there any way to decrypt / debug this traffic?

Josh
  • 9,190
  • 28
  • 80
  • 128

1 Answers1

0

Since you control everything here why not just change it to a plaintext HTTP connection and try to repeat the issue?

Alternatively change to a simpler non-DHE cipher.

Barry Pollard
  • 4,591
  • 15
  • 26
  • I can't change to HTTP as this violates company security policy. Changing to a non-DHE cipher is what I am going to try next, as per https://stackoverflow.com/questions/14881039/how-to-read-ssl-tls-encrypted-alert-code-under-ephemeral-rsa – Josh May 21 '18 at 18:48