Thanks, Nick. I'm a little baffled on how it happened, but I found that the keys and certs had read only permissions for just the root user, which didn't allow nginx to access them. It's been working for months based on that image, so I don't know how it broke. I fixed the permissions and got nginx up again. It looks like the https.include and httpd.include files were including a bunch of stuff I wasn't aware of, which is why the ssl protocols were not working as I expected.
I've now commented out the include directive inside app- servers.include so that the https.include and httpd.include are not included when nginx.conf is loaded. Question for you, though... I noticed that in app-servers.include there is a define statement that sets the ip address for the backend server. Is that file liable to change in future SCALR versions? That is where I commented out the includes, so I don't want them to creep back in without my knowledge. Should I just copy that backend statement into nginx.conf instead? If that ip address changes, then it breaks, though... On Aug 12, 12:19 pm, Nickolas Toursky <[email protected]> wrote: > Hi Ken, > > /etc/aws/keys/ssl/https.crt and /etc/aws/keys/ssl/https.key are the > default paths for SSL certificate and key respectively. > As they usually come from /etc/nginx/https.include. But since you have > edited your nginx vhost template, they shouldn't be there no more. > > Now I can see you have sorted this out. Do you still need help? > > Nick > > 2009/8/12 kenja <[email protected]>: > > > > > Looking at the console log I see the following error: > > > Starting nginx: 2009/08/12 13:25:39 [emerg] 1897#0: > > SSL_CTX_use_certificate_chain_file("/etc/aws/keys/ssl/https.crt") > > failed (SSL: error:02001002:system library:fopen:No such file or > > directory error:20074002:BIO routines:FILE_CTRL:system lib error: > > 140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:sy) > > > I can't figure out where the /etc/aws/keys/ssl/https.crt path is > > coming from, as it is not present in nginx.conf or the Vhost template > > area. > > > On Aug 12, 10:45 am, kenja <[email protected]> wrote: > >> It looks like the www server finally says "running" instead of > >> "initializing", but it still isn't working. I've tried pointing my > >> browser directly to the IP address of the front-end and it won't > >> load. > > >> On Aug 12, 10:42 am, kenja <[email protected]> wrote: > > >> > I've been having trouble with SSL on my farm lately. While we've > >> > specified only SSLV3, the nginx server is allowing SSLV2 and lower. > >> > In trying to resolve the problem, I edited the www role to remove the > >> > "Nginx HTTPS Vhost Template: " section within the parameters tab. I > >> > then copied that code into the standard nginx.conf and restarted > >> > nginx. > > >> > It didn't work, so I reverted back to the original settings with the > >> > old nginx.conf and the old code in the"Nginx HTTPS Vhost Template: " > >> > section. However, that didn't work either! I rebooted the www > >> > instance and that didn't work. I then terminated the instance and > >> > waited for the new one to come up and now it is indefinitely saying > >> > "initializing". I haven't rebooted the server since the new version > >> > of Scalr was released, so I'm not sure what is going on. > > >> > The farm - 1239 - is down hard and I have no idea how to bring it back > >> > up or what is causing the server to initialize indefinitely. Can > >> > someone help take a look and help me get it back up? > > >> > The code in the Vhost Template section is: > > >> > {literal}server { {/literal} > >> > listen 443; > >> > server_name {$host} www.{$host} {$server_alias}; > > >> > ssl on; > >> > ssl_certificate /etc/nginx/certs/www.myserver.com.crt; > >> > ssl_certificate_key /etc/nginx/certs/www.myserver.com.key; > >> > ssl_session_timeout 10m; > >> > ssl_session_cache shared:SSL:10m; > >> > ssl_protocols SSLv3; > >> > ssl_ciphers HIGH:!ADH; > >> > ssl_prefer_server_ciphers on; > > >> > {literal} > >> > location / { > >> > proxy_pass http://backend; > >> > proxy_set_header Host $host; > >> > proxy_set_header X-Real-IP $remote_addr; > >> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > >> > client_max_body_size 10m; > >> > client_body_buffer_size 128k; > >> > proxy_buffering on; > >> > proxy_connect_timeout 15; > >> > proxy_intercept_errors on; > > >> > } > >> > } {/literal} > > >> > My standard nginx.conf is: > > >> > user www-data; > >> > worker_processes 4; > > >> > error_log /var/log/nginx/error.log; > >> > pid /var/run/nginx.pid; > > >> > events { > >> > worker_connections 4096; > > >> > } > > >> > http { > >> > include /etc/nginx/mime.types; > >> > default_type application/octet-stream; > > >> > access_log /var/log/nginx/access.log; > > >> > sendfile on; > > >> > keepalive_timeout 0; > >> > tcp_nodelay on; > > >> > include /etc/nginx/app-servers.include; > > >> > server { > >> > listen 80; > > >> > if ( $remote_addr = 127.0.0.1 ) { > >> > rewrite ^(.*)$ /500.html last; > >> > return 302; > >> > } > > >> > if (-f /var/www/nginx-errors/maintenanceMode-enabled.html) { > >> > rewrite ^(.*)$ /maintenancePage.html last; > >> > return 503; > >> > } > > >> > location / { > >> > rewrite ^/my-account(.*)https://www.myserver.com/my-account$1 > >> > permanent; > >> > rewrite ^/login(.*)https://www.myserver.com/login$1permanent; > >> > rewrite > >> > ^/administrator(.*)https://www.myserver.com/administrator$1 > >> > permanent; > >> > rewrite > >> > ^/individuals/sign-up(.*)https://www.myserver.com/individuals/sign-up$1 > >> > permanent; > >> > rewrite > >> > ^/index.php/component/user/(.*)https://www.myserver.com/index.php/component/user/$1 > >> > permanent; > > >> > proxy_pass http://backend; > >> > proxy_buffering on; > > >> > proxy_set_header Host $host; > >> > proxy_set_header X-Real-IP $remote_addr; > >> > proxy_set_header X-Forwarded-For > >> > $proxy_add_x_forwarded_for; > >> > proxy_set_header HTTPS off; > > >> > error_page 500 501 = /500.html; > >> > error_page 502 503 504 = /502.html; > >> > error_page 404 = /404.html; > >> > } > > >> > location /maintenancePage.html { > >> > root /var/www/nginx-default; > >> > } > > >> > location /500.html { > >> > root /var/www/nginx-default; > >> > } > > >> > location /502.html { > >> > root /var/www/nginx-default; > >> > } > > >> > location /404.html { > >> > root /var/www/nginx-default; > >> > } > > >> > } > > >> > } --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/scalr-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
