vitch's questions

I am developing an application against a remote https web service. While developing I need to proxy requests from my local development server (running nginx on ubuntu) to the remote https web server. Here is the relevant nginx config:

server {
    server_name project.dev;
    listen 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    location / {

        proxy_pass      https://remote.server.com;
        proxy_set_header Host remote.server.com;
        proxy_redirect off;
    }
}

The problem is that the remote HTTPS server can only accept connections over SSLv3 as can be seen from the following openssl calls.

Not working:

$ openssl s_client -connect remote.server.com:443                 
CONNECTED(00000003)
139849073899168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Working:

$ openssl s_client -connect remote.server.com:443 -ssl3
CONNECTED(00000003)
<snip>
---
SSL handshake has read 1562 bytes and written 359 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-SHA
<snip>

With the current setup my nginx proxy gives a 502 Bad Gateway when I connect to it in a browser. Enabling debug in the error log I can see the message: [info] 1451#0: *16 peer closed connection in SSL handshake while SSL handshaking to upstream.

I tried adding ssl_protocols SSLv3; to the nginx configuration but that didn't help.

Does anyone know how I can set this up to work correctly?

Edit - additional requested info added:

Running on Ubuntu 12.04 with OpenSSL version:

$ openssl version
OpenSSL 1.0.1 14 Mar 2012

The solution

The solution, as provided by @Christopher Perrin below is to downgrade openssl to 1.0.0. Here is the commands that successfully did this for me (on ubuntu 12.04 running on AMD64):

wget http://launchpadlibrarian.net/81976289/openssl_1.0.0e-2ubuntu4_amd64.deb
sudo dpkg -i openssl_1.0.0e-2ubuntu4_amd64.deb
wget http://launchpadlibrarian.net/81976290/libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb
sudo dpkg -i libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb

I'm trying to find out the range of IP addresses that an Elastic Load Balancer could have from an EC2 instance which is behind it. This is so I can configure the HttpRealIpModule of nginx correctly.

I've found a list of EC2 public IP addresses but can't find any mention of the private IP range. My best guess is 10.0.0.1/8 - does anyone know if that is correct?

I have a set of Nginx servers behind an Amazon ELB load balancer. I am using set_real_ip (from the HttpRealIpModule) so that I can access the originating client IP address on these servers (for passing through to php-fpm and for use in the HttpGeoIPModule).

It seems that set_real_ip_from in the nginx configuration can only accept an IP address. However, with regard to ELB machines Amazon say:

Note: Because the set of IP addresses associated with a LoadBalancer can change over time, you should never create an "A" record with any specific IP address. If you want to use a friendly DNS name for your LoadBalancer instead of the name generated by the Elastic Load Balancing service, you should create a CNAME record for the LoadBalancer DNS name, or use Amazon Route 53 to create a hosted zone. For more information, see the Using Domain Names With Elastic Load Balancing

But if I need to input an IP address I can't use a CNAME (either amazon's or my own). Is there a solution to this problem?