Nginx SSL declarations need to be added to redirect vhosts [#1346794]

If you have a redirect set up in Aegir (say to redirect example.com to www.example.com), and you are using nginx_ssl, browsers will not accept the SSL certificates reporting ssl_error_rx_record_too_long.

I managed to resolve this by adding the SSL declarations to the redirect vhost. For example, this is what Aegir will produce:

server {
   listen      69.164.198.11:443;
   server_name example.com;
   rewrite ^ $scheme://www.example.com$request_uri? permanent;
}

server {
   include      /var/aegir/config/includes/fastcgi_ssl_params.conf;
   limit_conn   gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
   listen       69.164.198.11:443;
   server_name  www.example.com;
   root         /var/aegir/platforms/live/sac-7.9-16112011;
   ssl                         on;
   ssl_certificate             /var/aegir/config/server_example/ssl.d/www.example.com/openssl.crt;
   ssl_certificate_key         /var/aegir/config/server_example/ssl.d/www.example.com/openssl.key;
   ssl_protocols               SSLv3 TLSv1;
   ssl_ciphers                 HIGH:!ADH:!MD5;
   ssl_prefer_server_ciphers   on;
   keepalive_timeout           70;
   include      /var/aegir/config/includes/nginx_simple_include.conf;
}

Which doesn't work. This is what you need to do to get it to work (ie. Also add the ssl declarations to the redirect vhost)

server {
   listen      69.164.198.11:443;
   server_name example.com;
   rewrite ^ $scheme://www.example.com$request_uri? permanent;

   ssl                         on;
   ssl_certificate             /var/aegir/config/server_example/ssl.d/www.example.com/openssl.crt;
   ssl_certificate_key         /var/aegir/config/server_example/ssl.d/www.example.com/openssl.key;
   ssl_protocols               SSLv3 TLSv1;
   ssl_ciphers                 HIGH:!ADH:!MD5;
   ssl_prefer_server_ciphers   on;
}

server {
   include      /var/aegir/config/includes/fastcgi_ssl_params.conf;
   limit_conn   gulag 10; # like mod_evasive - this allows max 10 simultaneous connections from one IP address
   listen       69.164.198.11:443;
   server_name  www.example.com;
   root         /var/aegir/platforms/live/sac-7.9-16112011;
   ssl                         on;
   ssl_certificate             /var/aegir/config/server_example/ssl.d/www.example.com/openssl.crt;
   ssl_certificate_key         /var/aegir/config/server_example/ssl.d/www.example.com/openssl.key;
   ssl_protocols               SSLv3 TLSv1;
   ssl_ciphers                 HIGH:!ADH:!MD5;
   ssl_prefer_server_ciphers   on;
   keepalive_timeout           70;
   include      /var/aegir/config/includes/nginx_simple_include.conf;
}

Comment	File	Size	Author
#2	1346794.2-provision-ssl-nginx.patch	1.4 KB	mrfelton
#1	1346794.1-provision-ssl-nginx.patch	1.41 KB	mrfelton

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

mrfelton CreditAttribution: mrfelton commented 19 November 2011 at 13:10

Status:

Active

» Needs review

File	Size
1346794.1-provision-ssl-nginx.patch	1.41 KB

Attached patch resolves.

Comment #2

mrfelton CreditAttribution: mrfelton commented 19 November 2011 at 13:14

File	Size
1346794.2-provision-ssl-nginx.patch	1.4 KB

Slight problem with above patch. This ones better.

Comment #3

omega8cc CreditAttribution: omega8cc commented 19 November 2011 at 18:59

Version:	6.x-1.5	» 6.x-1.x-dev
Status:	Needs review	» Reviewed & tested by the community

Interesting, as we tested it before many times, however only with Chrome and Safari and it worked very well without any such issues. If this fixes problem for other browsers, that is fine.

Here is your patch modified a bit to have redirect directive after SSL stuff in the server section and to fix minor issue with vhost formatting, plus it is for Provision 2.x:

http://gitorious.org/aegir/provision/commit/2d223d281414804717d44327f3b7...

Comment #4

omega8cc CreditAttribution: omega8cc commented 20 February 2012 at 20:22

Status:

Reviewed & tested by the community

» Needs work

I will submit a revised patch from #2 for 6.x-1.x shortly.

Comment #5

omega8cc CreditAttribution: omega8cc commented 20 February 2012 at 21:22

Status:

Needs work

» Needs review

Patch ready for review: http://drupalcode.org/sandbox/omega8cc/1443220.git/commit/216e3a2

Comment #6

Anonymous (not verified) CreditAttribution: Anonymous commented 26 February 2012 at 23:06

Status:

Needs review

» Fixed

Committed, thanks to both of you!

Comment #7

11 March 2012 at 23:10

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #8

12 June 2014 at 08:41

Commit d8c9fde on 6.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by mig5:
```
Issue #1346794 by mrfelton - Nginx SSL declarations need to be added to...
```
Commit 4c53f5c on 6.x-1.x, dev-drupal-8, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by mig5:
```
Issue #1346794 by mrfelton - Nginx SSL declarations need to be added to...
```