DigitalOcean Kubernetes: new control plane is faster and free, enable HA for 99.95% uptime SLA

Related

after installing iRedMail my nginx 404 error
Question
SSL Security (HTTPS) in Django one-click-install configuration
Question

Question

How to add a new cipher to Nginx?

Hi:

I’ve been trying to setup LB for my app for a while now. I made some progress but now I’m hitting this problem:

When I try to perform a request to my server through the LB I get this:

SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
ALPN, server did not agree to a protocol

Which turns into a 400 error:

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

I noticed the ssl configuration on the server does not include ECDHE-RSA-CHACHA20-POLY1305, it reads:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

How can I add a new cipher? Thanks

Subscribe
Share
Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Mauro ChojrinOctober 25, 2019

Thanks for that! I finally fixed it by forwarding por 443 on the LB to 443 on the droplet.

I was using 443 -> 80 (Through SSL termination).

I’m a little confused by why this worked though :p

Shouldn’t communication between LB and backends be plain text? Isn’t that what SSL Termination stands for?

Tech FlowOctober 24, 2019

Hello, @maurochojrin

Can you confirm if http2 is supported on your server? Can you check if your hostname/domain has http2 configured and that ALPN is supported?

You can use this site to check:

https://tools.keycdn.com/http2-test

Enter your domain with https://

If everything is fine you will see:

HTTP/2 protocol is supported. ALPN extension is supported.

Let me know how it goes.

Join the DigitalOcean CommunityCommunity

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner

Related

after installing iRedMail my nginx 404 error
Question
SSL Security (HTTPS) in Django one-click-install configuration
Question

Try DigitalOcean for free

Click below to sign up and get $100 of credit to try our products over 60 days!

Sign up