Forcing SSLv3 Upstream in NGINX... fml

Sometimes you have to make sacrifices; often I wish I could place IT professionals at large Banks on a sodding Altar and cut their balls off.

Anyway. In some rare horrible occasions, you need to force the type of SSL/TLS used for an upstream. You do that as follows.

upstream shittyserver {  
   server 8.8.8.8:443;
}

server {  
    listen 443;
    server_name dodgyproxy.com;

    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;
    rewrite_log on;

    ssl on;
    ssl_certificate     /etc/certs/mycert;
    ssl_certificate_key /etc/certs/mykey;


    location / {
        proxy_pass  https://shittyserver;
        proxy_redirect default;
        proxy_ssl_protocols SSLv3;

        proxy_set_header   Host "shittyservershttphostname"; 
        proxy_set_header   X-Forwarded-Proto  https;

        proxy_set_header   SSL_PROTOCOL $ssl_protocol;
        proxy_set_header   SSL_CLIENT_CERT $ssl_client_cert;
        proxy_set_header   SSL_CLIENT_VERIFY $ssl_client_verify;
        proxy_set_header   SSL_SERVER_S_DN $ssl_client_s_dn;
      }
}
Chris McKee

Chris McKee

https://chrismckee.co.uk

Software Engineer, Web Front/Backend/Architecture; all-round tech obsessed geek. I hate unnecessary optimism

View Comments