Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
nginx load balancing for two servers host images Question Question
Nginx as load balancer in front of ... nginx? Question Question

Question

How to add a new cipher to Nginx?

Posted October 23, 2019 4.5k views
NginxLoad Balancing

Hi:

I’ve been trying to setup LB for my app for a while now. I made some progress but now I’m hitting this problem:

When I try to perform a request to my server through the LB I get this:

SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
ALPN, server did not agree to a protocol

Which turns into a 400 error:

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

I noticed the ssl configuration on the server does not include ECDHE-RSA-CHACHA20-POLY1305, it reads:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

How can I add a new cipher? Thanks

Add a comment
By:
maurochojrin

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
nginx load balancing for two servers host images Question Question
Nginx as load balancer in front of ... nginx? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
techflow October 24, 2019

Hello, @maurochojrin

Can you confirm if http2 is supported on your server? Can you check if your hostname/domain has http2 configured and that ALPN is supported?

You can use this site to check:

https://tools.keycdn.com/http2-test

Enter your domain with https://

If everything is fine you will see:

HTTP/2 protocol is supported.
ALPN extension is supported.

Let me know how it goes.

Reply Report
maurochojrin October 25, 2019

Thanks for that! I finally fixed it by forwarding por 443 on the LB to 443 on the droplet.

I was using 443 -> 80 (Through SSL termination).

I’m a little confused by why this worked though :p

Shouldn’t communication between LB and backends be plain text? Isn’t that what SSL Termination stands for?

Reply Report

Related

Looking for something else?

Ask a new question Search for more help