Ich habe ein Problem beim Versuch, ein Zertifikat zu überschreiben, indem ich NGINX als Reverse-Proxy verwende und alle Anfragen an einen Apache-Server mit einem alten Zertifikat (TLS 1.0) weiterleite.
Dies ist die Ausgabe für meine .conf-Datei:
server {
listen 80;
server_name provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
}
server {
listen 443 ssl http2;
server_name provision.metrotel.com.ar;
ssl_certificate /etc/nginx/certs/metrotel.crt;
ssl_certificate_key /etc/nginx/certs/metrotel.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error_prov.log;
location / {
proxy_pass http://prov.metrotel.com.ar/;
proxy_ssl_certificate /etc/nginx/certs/metrotel.crt;
proxy_ssl_certificate_key /etc/nginx/certs/metrotel.key;
}
}
http://prov.metrotel.com.ar/ist der Server, auf dem sich die Website befindet, und er hat ein altes Zertifikat. Gibt es eine Möglichkeit, dieses Zertifikat zu überschreiben, indem ich das Zertifikat verwende, das ich in meinem Nginx-Reverse-Proxy habe?
Ich habe mehrere Optionen ausprobiert, aber ich bekomme immer das"NET::ERR_SSL_OBSOLETE_VERSION"
Client Chrome auf (172.20.1.4)
Proxy (Nginx auf srv-nginx-a.metrotel.local -192.168.151.112)
Backend (prov.metrotel.com.ar) 192.168.59.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
11:50:59.260014 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [S], seq 979144705, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0
11:50:59.260165 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [S.], seq 3107298579, ack 979144706, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:50:59.260397 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1, win 1825, length 0
11:50:59.282128 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1:536, ack 1, win 1825, length 535
11:50:59.282204 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 536, win 237, length 0
11:50:59.282659 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1:153, ack 536, win 237, length 152
11:50:59.282869 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 153, win 1892, length 0
11:50:59.293101 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 536:587, ack 153, win 1892, length 51
11:50:59.332644 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 587, win 237, length 0
11:50:59.332935 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 587:1300, ack 153, win 1892, length 713
11:50:59.332967 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 1300, win 248, length 0
11:50:59.333185 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [S], seq 1924765737, win 29200, options [mss 1460,sackOK,TS val
180831520 ecr 0,nop,wscale 7], length 0
11:50:59.333584 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [S.], seq 4244116336, ack 1924765738, win 5792, options [mss 1460,sackOK,TS val 3558238853 ecr 180831520,nop,wscale 7], length 0
11:50:59.333605 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831521 ecr 3558238853], length 0
11:50:59.333639 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831521 ecr 3558238853], length 756: HTTP: GET / HTTP/1.0
11:50:59.333915 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0
11:50:59.334144 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 519: HTTP: HTTP/1.1 302 Found
11:50:59.334157 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831521 ecr 3558238854], length 0
11:50:59.334169 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0
11:50:59.334236 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831521 ecr 3558238854], length 0
11:50:59.334272 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 153:1048, ack 1300, win 248, length 895
11:50:59.334438 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190:
Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0
11:50:59.373720 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1048, win 2004, length 0
11:50:59.407267 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1300:2013, ack 1048, win 2004, length 713
11:50:59.407531 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1460,sackOK,TS val 180831594 ecr 0,nop,wscale 7], length 0
11:50:59.407867 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [S.], seq 2604868674, ack 3919551833, win 5792, options [mss 1460,sackOK,TS val 3558238928 ecr 180831594,nop,wscale 7], length 0
11:50:59.407897 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831595 ecr 3558238928], length 0
11:50:59.407950 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831595 ecr 3558238928], length 756: HTTP: GET / HTTP/1.0
11:50:59.408211 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0
11:50:59.408605 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 519: HTTP: HTTP/1.1 302 Found
11:50:59.408627 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831596 ecr 3558238928], length 0
11:50:59.408642 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0
11:50:59.408711 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831596 ecr 3558238928], length 0
11:50:59.408748 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1048:1943, ack 2013, win 259, length 895
11:50:59.408974 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238929 ecr 180831596], length 0
11:50:59.408994 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1943, win 2116, length 0
Antwort1
Versuchen Sie, TLS1.2 und 1.3 zu aktivieren, indem Sie ssl_protocols TLSv1.2 TLSv1.3;Ihrem serverAbschnitt Folgendes hinzufügen:
server {
listen 80;
server_name provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
ssl_protocols TLSv1.2 TLSv1.3;
}
Antwort2
Bei Wireshark PCAP ist die Verbindung zwischen Client (Chrome) und Proxy (Nginx) TLS 1.2. Der andere Teil (Nginx-Apache altes TLS) ist nur HTTP. Der Proxy funktioniert einwandfrei, es gibt „keine“ Verbindung zwischen Client und Server, der Proxy ist immer in der Mitte.