Web lists-archives.com

Nginx with SSL doesn't send http response until server stop.




Hi All,

I tried to configure SSL reverse proxy server with Nginx.
And I noticed strange behavior.

nginx/Windows-1.14.0 works as expected.
But nginx/Cygwin-1.14.0-1 doesn't work as expected.

The details are as follows.

Test Patterns and Results:
------------------------------------------------------------
Test Patterns:
 1. reverse proxy server (http -> http)
    http://www.example.com/ -> http://93.184.216.34/
 2. reverse proxy server (http -> https)
    http://www.example.net/ -> https://93.184.216.34/
 3. reverse proxy server (https -> http)
    https://www.example.com/ -> http://93.184.216.34/
 4. reverse proxy server (https -> https)
    https://www.example.net/ -> https://93.184.216.34/
 5. web server (http)
    http://www.example.edu/index.html
 6. web server (https)
    https://www.example.edu/index.html

Test Results (Server: nginx/Cygwin-1.14.0-1):
 1. Nginx send http response as expected.
 2. Nginx send http response as expected.
 3. Nginx doesn't send http response until server stop.
 4. Nginx doesn't send http response until server stop.
 5. Nginx send http response as expected.
 6. Nginx doesn't send http response until server stop.

Test Results (Server: nginx/Windows-1.14.0):
 1. Nginx send http response as expected.
 2. Nginx send http response as expected.
 3. Nginx send http response as expected.
 4. Nginx send http response as expected.
 5. Nginx send http response as expected.
 6. Nginx send http response as expected.
------------------------------------------------------------

Steps to reproduce:
------------------------------------------------------------
OS: Windows 10 Pro (64bit)
Web browser: Chrome 68 (64bit)

A-1) Start Nginx
 $ /usr/sbin/nginx -c /etc/nginx/nginx.conf_www.example.org_cygwin

A-2) Access to https://www.example.edu/index.html

 Wireshark packet capture results(nginx/Cygwin-1.14.0-1):

  Chrome                                      Nginx
  |                                               |
  | TCP(SYN)                                      |
  |---------------------------------------------->|
  |                                  TCP(SYN+ACK) |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  | TLSv1.2(Client Hello)                         |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  |            TLSv1.2(Server Hello, Certificate) |
  |<----------------------------------------------|
  |                  TLSv1.2(Server Key Exchange, |
  |                          Server Hello Done)   |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  | TLSv1.2(Client Key Exchange,                  |
  |         Client Cipher Spec,                   |
  |         Finished)                             |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  | HTTP(GET /index.html HTTP/1.1)                |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  |                   TLSv1.2(New Session Ticket, |
  |                           Change Cipher Spec, |
  |                           Finished)           |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  |                                               |
  |  A-3) No response from Nginx.                 |
  |       Stop Nginx.                             |
  |                                               |
  |  $ /usr/sbin/nginx -s stop                    |
  |                                               |
  |                     Nginx send http response. |
  |                         HTTP(HTTP/1.1 200 OK) | *
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  |           TLSv1.2(Alert (Level: Warning,      |
  |                   Description: Close Notify)) |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  |                                  TCP(FIN+ACK) |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  | TCP(FIN+ACK)                                  |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  |                                               |


B-1) Start Nginx
 C:\nginx-1.14.0>start nginx -c C:\nginx-1.14.0\conf\nginx.conf_www.example.org_windows

B-2) Access to https://www.example.edu/index.html

 Wireshark packet capture results(nginx/Windows-1.14.0):

  Chrome                                      Nginx
  |                                               |
  | TCP(SYN)                                      |
  |---------------------------------------------->|
  |                                  TCP(SYN+ACK) |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  | TLSv1.2(Client Hello)                         |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  |            TLSv1.2(Server Hello, Certificate) |
  |<----------------------------------------------|
  |                  TLSv1.2(Server Key Exchange, |
  |                          Server Hello Done)   |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  | TLSv1.2(Client Key Exchange,                  |
  |         Client Cipher Spec,                   |
  |         Finished)                             |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  | HTTP(GET /index.html HTTP/1.1)                |
  |---------------------------------------------->|
  |                                      TCP(ACK) |
  |<----------------------------------------------|
  |                   TLSv1.2(New Session Ticket, |
  |                           Change Cipher Spec, |
  |                           Finished)           |
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  |                         HTTP(HTTP/1.1 200 OK) | *
  |<----------------------------------------------|
  | TCP(ACK)                                      |
  |---------------------------------------------->|
  |                                               |

------------------------------------------------------------

/cygdrive/c/Windows/System32/drivers/etc/hosts:
------------------------------------------------------------
127.0.0.1       www.example.org
127.0.0.2       example.com
127.0.0.3       example.edu
127.0.0.4       example.net
127.0.0.5       example.org
127.0.0.6       www.example.com
127.0.0.7       www.example.edu
127.0.0.8       www.example.net
------------------------------------------------------------

/etc/nginx/nginx.conf_www.example.org_cygwin:
------------------------------------------------------------
worker_processes  5;

events {
    worker_connections  1024;
}

http {
    # www.example.com (HTTP -> HTTP)
    server {
        listen       127.0.0.6:80;
        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Custom-Header-Test 1;
            proxy_pass   http://93.184.216.34/;
        }
    }

    # www.example.net (HTTP -> HTTPS)
    server {
        listen       127.0.0.8:80;
        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Custom-Header-Test 1;
            proxy_pass   https://93.184.216.34/;
        }
    }

    # www.example.com (HTTPS -> HTTP)
    server {
        listen       127.0.0.6:443 ssl;

        # Multi Domain SSL Certificate
        ssl_certificate      /etc/nginx/www.example.org.cer;
        ssl_certificate_key  /etc/nginx/www.example.org.key.nopass;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Custom-Header-Test 1;
            proxy_pass   http://93.184.216.34/;
        }
    }

    # www.example.net (HTTPS -> HTTPS)
    server {
        listen       127.0.0.8:443 ssl;

        # Multi Domain SSL Certificate
        ssl_certificate      /etc/nginx/www.example.org.cer;
        ssl_certificate_key  /etc/nginx/www.example.org.key.nopass;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Custom-Header-Test 1;
            proxy_pass   https://93.184.216.34/;
        }
    }

    # www.example.edu (HTTP)
    server {
        listen       127.0.0.7:80;
    }

    # www.example.edu (HTTPS)
    server {
        listen       127.0.0.7:443 ssl;

        # Multi Domain SSL Certificate
        ssl_certificate      /etc/nginx/www.example.org.cer;
        ssl_certificate_key  /etc/nginx/www.example.org.key.nopass;
    }

}
------------------------------------------------------------

/cygdrive/c/nginx-1.14.0/conf/nginx.conf_www.example.org_windows:
------------------------------------------------------------
$ diff /etc/nginx/nginx.conf_www.example.org_cygwin /cygdrive/c/nginx-1.14.0/conf/nginx.conf_www.example.org_windows
33,34c33,34
<         ssl_certificate      /etc/nginx/www.example.org.cer;
<         ssl_certificate_key  /etc/nginx/www.example.org.key.nopass;
---
>         ssl_certificate      C:/nginx-1.14.0/conf/www.example.org.cer;
>         ssl_certificate_key  C:/nginx-1.14.0/conf/www.example.org.key.nopass;
48,49c48,49
<         ssl_certificate      /etc/nginx/www.example.org.cer;
<         ssl_certificate_key  /etc/nginx/www.example.org.key.nopass;
---
>         ssl_certificate      C:/nginx-1.14.0/conf/www.example.org.cer;
>         ssl_certificate_key  C:/nginx-1.14.0/conf/www.example.org.key.nopass;
68,69c68,69
<         ssl_certificate      /etc/nginx/www.example.org.cer;
<         ssl_certificate_key  /etc/nginx/www.example.org.key.nopass;
---
>         ssl_certificate      C:/nginx-1.14.0/conf/www.example.org.cer;
>         ssl_certificate_key  C:/nginx-1.14.0/conf/www.example.org.key.nopass;
------------------------------------------------------------

Other information:
------------------------------------------------------------
$ uname -a
CYGWIN_NT-10.0 DESKTOP-FJ1M9IS 2.11.1(0.329/5/3) 2018-09-05 10:24 x86_64 Cygwin

$ /usr/sbin/nginx -V
nginx version: nginx/1.14.0
built with OpenSSL 1.0.2o  27 Mar 2018
TLS SNI support enabled
configure arguments:
 --prefix=/usr/share/nginx
 --sbin-path=/usr/sbin/nginx.exe
 --modules-path=/usr/lib/nginx/modules
 --conf-path=/etc/nginx/nginx.conf
 --lock-path=/var/run/nginx.lock
 --pid-path=/var/run/nginx.pid
 --error-log-path=/var/log/nginx/error.log
 --http-log-path=/var/log/nginx/access.log
 --http-client-body-temp-path=/var/lib/nginx/tmp/client_body
 --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
 --http-proxy-temp-path=/var/lib/nginx/tmp/proxy
 --http-scgi-temp-path=/var/lib/nginx/tmp/scgi
 --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
 --with-http_ssl_module
 --with-http_v2_module
 --with-http_realip_module
 --with-http_addition_module
 --with-http_xslt_module=dynamic
 --with-http_image_filter_module=dynamic
 --with-http_geoip_module=dynamic
 --with-http_sub_module
 --with-http_dav_module
 --with-http_flv_module
 --with-http_mp4_module
 --with-http_gunzip_module
 --with-http_gzip_static_module
 --with-http_auth_request_module
 --with-http_random_index_module
 --with-http_secure_link_module
 --with-http_degradation_module
 --with-http_slice_module
 --with-http_stub_status_module
 --with-http_perl_module=dynamic
 --with-mail=dynamic
 --with-mail_ssl_module
 --with-pcre
 --with-pcre-jit
 --with-stream
 --with-stream_geoip_module=dynamic
 --with-stream_realip_module
 --with-stream_ssl_module
 --with-stream_ssl_preread_module
 --with-ipv6
 --with-cc-opt='-DFD_SETSIZE=2048 -D_GNU_SOURCE'
------------------------------------------------------------
C:\nginx-1.14.0>nginx -V
nginx version: nginx/1.14.0
built by cl 16.00.40219.01 for 80x86
built with OpenSSL 1.0.2o  27 Mar 2018
TLS SNI support enabled
configure arguments:
 --with-cc=cl
 --builddir=objs.msvc8
 --with-debug
 --prefix=
 --conf-path=conf/nginx.conf
 --pid-path=logs/nginx.pid
 --http-log-path=logs/access.log
 --error-log-path=logs/error.log
 --sbin-path=nginx.exe
 --http-client-body-temp-path=temp/client_body_temp
 --http-proxy-temp-path=temp/proxy_temp
 --http-fastcgi-temp-path=temp/fastcgi_temp
 --http-scgi-temp-path=temp/scgi_temp
 --http-uwsgi-temp-path=temp/uwsgi_temp
 --with-cc-opt=-DFD_SETSIZE=1024
 --with-pcre=objs.msvc8/lib/pcre-8.42
 --with-zlib=objs.msvc8/lib/zlib-1.2.11
 --with-select_module
 --with-http_v2_module
 --with-http_realip_module
 --with-http_addition_module
 --with-http_sub_module
 --with-http_dav_module
 --with-http_stub_status_module
 --with-http_flv_module
 --with-http_mp4_module
 --with-http_gunzip_module
 --with-http_gzip_static_module
 --with-http_auth_request_module
 --with-http_random_index_module
 --with-http_secure_link_module
 --with-http_slice_module
 --with-mail
 --with-stream
 --with-openssl=objs.msvc8/lib/openssl-1.0.2o
 --with-openssl-opt=no-asm
 --with-http_ssl_module
 --with-mail_ssl_module
 --with-stream_ssl_module
------------------------------------------------------------

Is there anything wrong with my configuration file?

Regards,
Ryu

Attachment: cygcheck.out
Description: Binary data

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple