How to add a new cipher to Nginx?

Posted October 23, 2019 4.5k views
NginxLoad Balancing


I’ve been trying to setup LB for my app for a while now. I made some progress but now I’m hitting this problem:

When I try to perform a request to my server through the LB I get this:

SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
ALPN, server did not agree to a protocol 

Which turns into a 400 error:

<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>

I noticed the ssl configuration on the server does not include ECDHE-RSA-CHACHA20-POLY1305, it reads:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

How can I add a new cipher? Thanks

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Hello, @maurochojrin

Can you confirm if http2 is supported on your server? Can you check if your hostname/domain has http2 configured and that ALPN is supported?

You can use this site to check:

Enter your domain with https://

If everything is fine you will see:

HTTP/2 protocol is supported.
ALPN extension is supported.

Let me know how it goes.

Thanks for that! I finally fixed it by forwarding por 443 on the LB to 443 on the droplet.

I was using 443 -> 80 (Through SSL termination).

I’m a little confused by why this worked though :p

Shouldn’t communication between LB and backends be plain text? Isn’t that what SSL Termination stands for?