Forcing SSLv3 Upstream in NGINX... fml

Sometimes you have to make sacrifices; often I wish I could place IT professionals at large Banks on a sodding Altar and cut their balls off.

Anyway. In some rare horrible occasions you need to force the type of ssl used for an upstream. You do that as follows.

upstream shittyserver {  
   server 8.8.8.8:443;
}

server {  
    listen 443;
    server_name dodgyproxy.com;

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;
    rewrite_log on;

    ssl on;
    ssl_certificate     /etc/certs/mycert;
    ssl_certificate_key /etc/certs/mykey;


    location / {
        proxy_pass  https://shittyserver;
        proxy_redirect default;
        proxy_ssl_protocols SSLv3;

        proxy_set_header   Host "shittyservershttphostname"; 
        proxy_set_header   X-Forwarded-Proto  https;

        proxy_set_header   SSL_PROTOCOL $ssl_protocol;
        proxy_set_header   SSL_CLIENT_CERT $ssl_client_cert;
        proxy_set_header   SSL_CLIENT_VERIFY $ssl_client_verify;
        proxy_set_header   SSL_SERVER_S_DN $ssl_client_s_dn;
      }
}
Chris McKee

Chris McKee

https://chrismckee.co.uk

Software Engineer, Web Front/Backend/Architecture; all-round tech obsessed geek. I hate unnecessary optimism

View Comments