Nginx with SSL doesn't send http response until server stop.
Umayahara, Ryu
ryuumayahara@gmail.com
Mon Sep 17 14:32:00 GMT 2018
Hi All,
I tried to configure SSL reverse proxy server with Nginx.
And I noticed strange behavior.
nginx/Windows-1.14.0 works as expected.
But nginx/Cygwin-1.14.0-1 doesn't work as expected.
The details are as follows.
Test Patterns and Results:
------------------------------------------------------------
Test Patterns:
1. reverse proxy server (http -> http)
http://www.example.com/ -> http://93.184.216.34/
2. reverse proxy server (http -> https)
http://www.example.net/ -> https://93.184.216.34/
3. reverse proxy server (https -> http)
https://www.example.com/ -> http://93.184.216.34/
4. reverse proxy server (https -> https)
https://www.example.net/ -> https://93.184.216.34/
5. web server (http)
http://www.example.edu/index.html
6. web server (https)
https://www.example.edu/index.html
Test Results (Server: nginx/Cygwin-1.14.0-1):
1. Nginx send http response as expected.
2. Nginx send http response as expected.
3. Nginx doesn't send http response until server stop.
4. Nginx doesn't send http response until server stop.
5. Nginx send http response as expected.
6. Nginx doesn't send http response until server stop.
Test Results (Server: nginx/Windows-1.14.0):
1. Nginx send http response as expected.
2. Nginx send http response as expected.
3. Nginx send http response as expected.
4. Nginx send http response as expected.
5. Nginx send http response as expected.
6. Nginx send http response as expected.
------------------------------------------------------------
Steps to reproduce:
------------------------------------------------------------
OS: Windows 10 Pro (64bit)
Web browser: Chrome 68 (64bit)
A-1) Start Nginx
$ /usr/sbin/nginx -c /etc/nginx/nginx.conf_www.example.org_cygwin
A-2) Access to https://www.example.edu/index.html
Wireshark packet capture results(nginx/Cygwin-1.14.0-1):
Chrome Nginx
| |
| TCP(SYN) |
|---------------------------------------------->|
| TCP(SYN+ACK) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TLSv1.2(Client Hello) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| TLSv1.2(Server Hello, Certificate) |
|<----------------------------------------------|
| TLSv1.2(Server Key Exchange, |
| Server Hello Done) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TLSv1.2(Client Key Exchange, |
| Client Cipher Spec, |
| Finished) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| HTTP(GET /index.html HTTP/1.1) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| TLSv1.2(New Session Ticket, |
| Change Cipher Spec, |
| Finished) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| |
| A-3) No response from Nginx. |
| Stop Nginx. |
| |
| $ /usr/sbin/nginx -s stop |
| |
| Nginx send http response. |
| HTTP(HTTP/1.1 200 OK) | *
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TLSv1.2(Alert (Level: Warning, |
| Description: Close Notify)) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TCP(FIN+ACK) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TCP(FIN+ACK) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| |
B-1) Start Nginx
C:\nginx-1.14.0>start nginx -c C:\nginx-1.14.0\conf\nginx.conf_www.example.org_windows
B-2) Access to https://www.example.edu/index.html
Wireshark packet capture results(nginx/Windows-1.14.0):
Chrome Nginx
| |
| TCP(SYN) |
|---------------------------------------------->|
| TCP(SYN+ACK) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TLSv1.2(Client Hello) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| TLSv1.2(Server Hello, Certificate) |
|<----------------------------------------------|
| TLSv1.2(Server Key Exchange, |
| Server Hello Done) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| TLSv1.2(Client Key Exchange, |
| Client Cipher Spec, |
| Finished) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| HTTP(GET /index.html HTTP/1.1) |
|---------------------------------------------->|
| TCP(ACK) |
|<----------------------------------------------|
| TLSv1.2(New Session Ticket, |
| Change Cipher Spec, |
| Finished) |
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| HTTP(HTTP/1.1 200 OK) | *
|<----------------------------------------------|
| TCP(ACK) |
|---------------------------------------------->|
| |
------------------------------------------------------------
/cygdrive/c/Windows/System32/drivers/etc/hosts:
------------------------------------------------------------
127.0.0.1 www.example.org
127.0.0.2 example.com
127.0.0.3 example.edu
127.0.0.4 example.net
127.0.0.5 example.org
127.0.0.6 www.example.com
127.0.0.7 www.example.edu
127.0.0.8 www.example.net
------------------------------------------------------------
/etc/nginx/nginx.conf_www.example.org_cygwin:
------------------------------------------------------------
worker_processes 5;
events {
worker_connections 1024;
}
http {
# www.example.com (HTTP -> HTTP)
server {
listen 127.0.0.6:80;
location / {
proxy_set_header Host $host;
proxy_set_header X-Custom-Header-Test 1;
proxy_pass http://93.184.216.34/;
}
}
# www.example.net (HTTP -> HTTPS)
server {
listen 127.0.0.8:80;
location / {
proxy_set_header Host $host;
proxy_set_header X-Custom-Header-Test 1;
proxy_pass https://93.184.216.34/;
}
}
# www.example.com (HTTPS -> HTTP)
server {
listen 127.0.0.6:443 ssl;
# Multi Domain SSL Certificate
ssl_certificate /etc/nginx/www.example.org.cer;
ssl_certificate_key /etc/nginx/www.example.org.key.nopass;
location / {
proxy_set_header Host $host;
proxy_set_header X-Custom-Header-Test 1;
proxy_pass http://93.184.216.34/;
}
}
# www.example.net (HTTPS -> HTTPS)
server {
listen 127.0.0.8:443 ssl;
# Multi Domain SSL Certificate
ssl_certificate /etc/nginx/www.example.org.cer;
ssl_certificate_key /etc/nginx/www.example.org.key.nopass;
location / {
proxy_set_header Host $host;
proxy_set_header X-Custom-Header-Test 1;
proxy_pass https://93.184.216.34/;
}
}
# www.example.edu (HTTP)
server {
listen 127.0.0.7:80;
}
# www.example.edu (HTTPS)
server {
listen 127.0.0.7:443 ssl;
# Multi Domain SSL Certificate
ssl_certificate /etc/nginx/www.example.org.cer;
ssl_certificate_key /etc/nginx/www.example.org.key.nopass;
}
}
------------------------------------------------------------
/cygdrive/c/nginx-1.14.0/conf/nginx.conf_www.example.org_windows:
------------------------------------------------------------
$ diff /etc/nginx/nginx.conf_www.example.org_cygwin /cygdrive/c/nginx-1.14.0/conf/nginx.conf_www.example.org_windows
33,34c33,34
< ssl_certificate /etc/nginx/www.example.org.cer;
< ssl_certificate_key /etc/nginx/www.example.org.key.nopass;
---
> ssl_certificate C:/nginx-1.14.0/conf/www.example.org.cer;
> ssl_certificate_key C:/nginx-1.14.0/conf/www.example.org.key.nopass;
48,49c48,49
< ssl_certificate /etc/nginx/www.example.org.cer;
< ssl_certificate_key /etc/nginx/www.example.org.key.nopass;
---
> ssl_certificate C:/nginx-1.14.0/conf/www.example.org.cer;
> ssl_certificate_key C:/nginx-1.14.0/conf/www.example.org.key.nopass;
68,69c68,69
< ssl_certificate /etc/nginx/www.example.org.cer;
< ssl_certificate_key /etc/nginx/www.example.org.key.nopass;
---
> ssl_certificate C:/nginx-1.14.0/conf/www.example.org.cer;
> ssl_certificate_key C:/nginx-1.14.0/conf/www.example.org.key.nopass;
------------------------------------------------------------
Other information:
------------------------------------------------------------
$ uname -a
CYGWIN_NT-10.0 DESKTOP-FJ1M9IS 2.11.1(0.329/5/3) 2018年09月05日 10:24 x86_64 Cygwin
$ /usr/sbin/nginx -V
nginx version: nginx/1.14.0
built with OpenSSL 1.0.2o 27 Mar 2018
TLS SNI support enabled
configure arguments:
--prefix=/usr/share/nginx
--sbin-path=/usr/sbin/nginx.exe
--modules-path=/usr/lib/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--lock-path=/var/run/nginx.lock
--pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
--with-http_ssl_module
--with-http_v2_module
--with-http_realip_module
--with-http_addition_module
--with-http_xslt_module=dynamic
--with-http_image_filter_module=dynamic
--with-http_geoip_module=dynamic
--with-http_sub_module
--with-http_dav_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_auth_request_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_degradation_module
--with-http_slice_module
--with-http_stub_status_module
--with-http_perl_module=dynamic
--with-mail=dynamic
--with-mail_ssl_module
--with-pcre
--with-pcre-jit
--with-stream
--with-stream_geoip_module=dynamic
--with-stream_realip_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-ipv6
--with-cc-opt='-DFD_SETSIZE=2048 -D_GNU_SOURCE'
------------------------------------------------------------
C:\nginx-1.14.0>nginx -V
nginx version: nginx/1.14.0
built by cl 16.00.40219.01 for 80x86
built with OpenSSL 1.0.2o 27 Mar 2018
TLS SNI support enabled
configure arguments:
--with-cc=cl
--builddir=objs.msvc8
--with-debug
--prefix=
--conf-path=conf/nginx.conf
--pid-path=logs/nginx.pid
--http-log-path=logs/access.log
--error-log-path=logs/error.log
--sbin-path=nginx.exe
--http-client-body-temp-path=temp/client_body_temp
--http-proxy-temp-path=temp/proxy_temp
--http-fastcgi-temp-path=temp/fastcgi_temp
--http-scgi-temp-path=temp/scgi_temp
--http-uwsgi-temp-path=temp/uwsgi_temp
--with-cc-opt=-DFD_SETSIZE=1024
--with-pcre=objs.msvc8/lib/pcre-8.42
--with-zlib=objs.msvc8/lib/zlib-1.2.11
--with-select_module
--with-http_v2_module
--with-http_realip_module
--with-http_addition_module
--with-http_sub_module
--with-http_dav_module
--with-http_stub_status_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_auth_request_module
--with-http_random_index_module
--with-http_secure_link_module
--with-http_slice_module
--with-mail
--with-stream
--with-openssl=objs.msvc8/lib/openssl-1.0.2o
--with-openssl-opt=no-asm
--with-http_ssl_module
--with-mail_ssl_module
--with-stream_ssl_module
------------------------------------------------------------
Is there anything wrong with my configuration file?
Regards,
Ryu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cygcheck.out
Type: application/octet-stream
Size: 69974 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20180917/9a0e84cc/attachment.obj>
-------------- next part --------------
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list