Forcing SSLv3 Upstream in NGINX... fml

Forcing SSLv3 Upstream in NGINX... fml

Sometimes you have to make sacrifices; often I wish I could place IT professionals at large Banks on a sodding Altar and cut their balls off.

Anyway. In some rare horrible occasions, you need to force the type of SSL/TLS used for an upstream. You do that as follows.

upstream shittyserver {
   server 8.8.8.8:443;
}

server {
	listen 443;
	server_name dodgyproxy.com;
	  
	access_log  /var/log/nginx/access.log;
	error_log   /var/log/nginx/error.log;
	rewrite_log on;
	
	ssl on;
	ssl_certificate     /etc/certs/mycert;
	ssl_certificate_key /etc/certs/mykey;
	
	
	location / {
	    proxy_pass  https://shittyserver;
	    proxy_redirect default;
	    proxy_ssl_protocols SSLv3;
	    
	    proxy_set_header   Host "shittyservershttphostname"; 
	    proxy_set_header   X-Forwarded-Proto  https;
	        
	    proxy_set_header   SSL_PROTOCOL $ssl_protocol;
	    proxy_set_header   SSL_CLIENT_CERT $ssl_client_cert;
	    proxy_set_header   SSL_CLIENT_VERIFY $ssl_client_verify;
	    proxy_set_header   SSL_SERVER_S_DN $ssl_client_s_dn;
	  }
}

Chris McKee

Chris McKee

https://chrismckee.co.uk

Software Engineer, Web Front/Backend/Architecture; all-round tech obsessed geek. I hate unnecessary optimism