ssl not allowed here #75

Open
jgn opened this Issue Jun 1, 2013 · 4 comments

Comments

Projects
None yet
2 participants

jgn commented Jun 1, 2013

I have an nginx configuration that needs to support multiple server names: All with HTTPS.

The nginx manual suggests that the SSL directives should be centralized, and that each server should use a different IP. (http://nginx.org/en/docs/http/configuring_https_servers.html - "The oldest and most robust method to resolve the issue is to assign a separate IP address for every HTTPS server"

When I include the tcp/server block for the tcp_proxy_module, I get:

Starting nginx: nginx: [emerg] "ssl" directive is not allowed here in /etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:10

For this case see: https://github.com/jgn/tcp_proxy/tree/master/case_1

I have tried duplicating the SSL config down to the tcp block (with a different name for the session cache). Then I get:

Starting nginx: nginx: [emerg] "ssl_session_cache" directive is not allowed here in /etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:3

For this case see: https://github.com/jgn/tcp_proxy/tree/master/case_2

What am I missing?

nginx version: 1.2.9
tcp_proxy is built off of master.

FYI, here's how I build it.

#!/bin/bash
echo "----- PASSENGER AND NGINX -----"

# PASSENGER_VERSION=4.0.5
# NGINX_VERSION=1.4.1
# TCP_PROXY_HASH=9677e00  # master as of 31-May-2013

PASSENGER_VERSION=3.0.21
NGINX_VERSION=1.2.9
TCP_PROXY_HASH=9677e00  # master as of 31-May-2013

source /etc/profile.d/ruby.sh

sudo yum -q -y install curl-devel
sudo yum -q -y install pcre-devel

cd /tmp
sudo gem install passenger -v $PASSENGER_VERSION --no-ri --no-rdoc

mkdir nginx_tcp_proxy_module
cd nginx_tcp_proxy_module
wget -q https://github.com/yaoweibin/nginx_tcp_proxy_module/tarball/$TCP_PROXY_HASH -O - | tar --strip-components=1 -xz
cd ..

wget -q -c http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz
tar -xzf nginx-$NGINX_VERSION.tar.gz
cd nginx-$NGINX_VERSION/
patch -p1 < /tmp/nginx_tcp_proxy_module/tcp.patch
# sudo required here because Passenger tree is owned by root
sudo bash -c "export PATH=\$PATH:/opt/ruby/bin; ./configure --with-http_ssl_module --with-http_realip_module --with-http_gzip_static_module --with-cc-opt='-Wno-error' --add-module=/tmp/nginx_tcp_proxy_module --add-module=`passenger-config --root`/ext/nginx --prefix=/opt/nginx --user=nobody"
sudo make install

sudo cp ~/setup/etc-puppet/modules/nginx/files/etc-init.d-nginx /etc/init.d/nginx
sudo chmod +x /etc/init.d/nginx
sudo ln -s /opt/nginx/conf /etc/nginx
sudo ln -s /opt/nginx/sbin/nginx /usr/sbin/
sudo /sbin/chkconfig --add nginx
sudo /sbin/chkconfig nginx on
sudo /sbin/service nginx start

jgn commented Jun 1, 2013

In a much simpler setup, I have a lot of the ssl in place and it works. In case 2 above, if I remove the ssl cache line, I still get

Starting nginx: nginx: [emerg] "ssl_certificate" directive is not allowed here in /etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:6

Here's the working config (I think you helped me get this one right in an earlier ticket!).

For the more complex configs, If I put the ssl directives in the server block as below, then I still get: Starting nginx: nginx: [emerg] "ssl" directive is not allowed here in /etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:14

http {
  passenger_root /opt/ruby/lib/ruby/gems/1.9.1/gems/passenger-3.0.12;
  passenger_ruby /opt/ruby/bin/ruby;
  passenger_max_pool_size          <%= passengers %>;
  passenger_min_instances          <%= passengers %>;
  passenger_max_instances_per_app  <%= passengers %>;
  passenger_pool_idle_time         0;

  include mime.types;
  default_type application/octet-stream;
  sendfile on;

  client_max_body_size 4M;

  keepalive_timeout  65;

  ssl_session_cache shared:SSL:5m;
  ssl_session_timeout 5m;

  server {
    server_name <%= rails_environment %>.icisapp.com;
    listen 80;
    rewrite ^ https://$server_name$request_uri? redirect;
  }

  server {
    server_name <%= rails_environment %>.icisapp.com;
    listen 443;
    root /home/deployer/apps/icis/<%= rails_environment %>/current/public;
    access_log /var/www/<%= rails_environment %>.icisapp.com/logs/access.log;
    passenger_enabled on;
    rails_env <%= rails_environment %>;

    if (-f $document_root/system/maintenance.html) {
      rewrite ^(.*)$ /system/maintenance.html break;
    }

    ssl on;
    ssl_certificate     /etc/ssl/certs/STAR_icisapp_com.crt;
    ssl_certificate_key /etc/ssl/certs/STAR_icisapp_com.key;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location ~ ^/assets/ {
      root /home/deployer/apps/icis/<%= rails_environment %>/current/public;
      gzip_static on;
      expires max;
      add_header Cache-Control public;
    }
  }

  passenger_pre_start https://<%= rails_environment %>.icisapp.com/;
}

tcp {
  upstream websockets {
    server 127.0.0.1:<%= faye_port %>;
    check interval=3000 rise=2 fall=5 timeout=1000;
  }

  server {
    listen 8443;

    so_keepalive on;
    tcp_nodelay on;

    proxy_pass websockets;

    ssl on;
    ssl_certificate     /etc/ssl/certs/STAR_icisapp_com.crt;
    ssl_certificate_key /etc/ssl/certs/STAR_icisapp_com.key;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
  }
}

# http {
#   server {
#     listen 9000;
#
#     location /websocket_status {
#      check_status;
#     }
#   }
# }
Owner

yaoweibin commented Jun 4, 2013

It seems you use the old revision, can you try the v0.4.4:
https://github.com/yaoweibin/nginx_tcp_proxy_module/archive/v0.4.4.tar.gz

Thanks.

On 2013/6/2 5:02, John Norman wrote:

I have an nginx configuration that needs to support multiple server
names: All with HTTPS.

The nginx manual suggests that the SSL directives should be
centralized, and that each server should use a different IP.
(http://nginx.org/en/docs/http/configuring_https_servers.html - "The
oldest and most robust method to resolve the issue is to assign a
separate IP address for every HTTPS server"

When I include the tcp/server block for the tcp_proxy_module, I get:

Starting nginx: nginx: [emerg] "ssl" directive is not allowed here in
/etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:10

For this case see: https://github.com/jgn/tcp_proxy/tree/master/case_1

I have tried duplicating the SSL config down to the tcp block (with a
different name for the session cache). Then I get:

Starting nginx: nginx: [emerg] "ssl_session_cache" directive is not
allowed here in
/etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:3

For this case see: https://github.com/jgn/tcp_proxy/tree/master/case_2

What am I missing?

nginx version: 1.2.9
tcp_proxy is built off of master.

FYI, here's how I build it.

|#!/bin/bash
echo "----- PASSENGER AND NGINX -----"

PASSENGER_VERSION=4.0.5

NGINX_VERSION=1.4.1

TCP_PROXY_HASH=9677e00 # master as of 31-May-2013

PASSENGER_VERSION=3.0.21
NGINX_VERSION=1.2.9
TCP_PROXY_HASH=9677e00 # master as of 31-May-2013

source /etc/profile.d/ruby.sh

sudo yum -q -y install curl-devel
sudo yum -q -y install pcre-devel

cd /tmp
sudo gem install passenger -v $PASSENGER_VERSION --no-ri --no-rdoc

mkdir nginx_tcp_proxy_module
cd nginx_tcp_proxy_module
wget -q https://github.com/yaoweibin/nginx_tcp_proxy_module/tarball/$TCP_PROXY_HASH -O - | tar --strip-components=1 -xz
cd ..

wget -q -c http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz
tar -xzf nginx-$NGINX_VERSION.tar.gz
cd nginx-$NGINX_VERSION/
patch -p1 < /tmp/nginx_tcp_proxy_module/tcp.patch

sudo required here because Passenger tree is owned by root

sudo bash -c "export PATH=$PATH:/opt/ruby/bin; ./configure --with-http_ssl_module --with-http_realip_module --with-http_gzip_static_module --with-cc-opt='-Wno-error' --add-module=/tmp/nginx_tcp_proxy_module --add-module=passenger-config --root/ext/nginx --prefix=/opt/nginx --user=nobody"
sudo make install

sudo cp ~/setup/etc-puppet/modules/nginx/files/etc-init.d-nginx /etc/init.d/nginx
sudo chmod +x /etc/init.d/nginx
sudo ln -s /opt/nginx/conf /etc/nginx
sudo ln -s /opt/nginx/sbin/nginx /usr/sbin/
sudo /sbin/chkconfig --add nginx
sudo /sbin/chkconfig nginx on
sudo /sbin/service nginx start
|


Reply to this email directly or view it on GitHub
#75.

Weibin Yao
Thanks.

jgn commented Jun 9, 2013

Still not working.

nginx: 1.2.9
TCP proxy at c76e4f (0.4.4)

I have repeated SSL blocks in a bunch of http blocks, to do reverse proxying.

Notice that there is already listening on 80 and 443; and the proxies use upstream 127.0.0.1:8080 and the like.

The latest: https://github.com/jgn/tcp_proxy/tree/master/case_3

Starting nginx: nginx: [emerg] "ssl" directive is not allowed here in /etc/nginx/top-level-includes/faye-vagrant.icisapp.com.conf:20
[FAILED]

https://github.com/jgn/tcp_proxy/blob/master/case_3/top-level-includes/faye-vagrant.icisapp.com.conf#L20

jgn commented Jun 9, 2013

P.S.

Notice that SSL is set for the host vagrant.icisapp.com for port 443.

BUT, what I am trying to do here is also have SSL for port 8443 (important for our app -- I would very much like to have the same hostname).

This works great when I am not doing all the reverse proxying: https://github.com/jgn/tcp_proxy/tree/master/works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment