Certificat de suprascrire proxy Nginx Revers

Am o problemă la încercarea de a suprascrie un certificat folosind NGINX ca un proxy invers, redirecționând toate cererile către un server Apache cu un certificat vechi (TLS 1.0)

Aceasta este rezultatul fișierului meu .conf:

Server {
asculta 80;
server_name provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
}

Server {
asculta 443 ssl http2;
server_name provision.metrotel.com.ar;
ssl_certificate /etc/nginx/certs/metrotel.crt;
ssl_certificate_key /etc/nginx/certs/metrotel.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error_prov.log;
Locație / {
proxy_pass http://prov.metrotel.com.ar/;
proxy_ssl_certificate /etc/nginx/certs/metrotel.crt;
proxy_ssl_certificate_key /etc/nginx/certs/metrotel.key;

}
}

http://prov.metrotel.com.ar/ este serverul pe care se află site-ul web și are un certificat vechi. Există o modalitate de a suprascrie acel certificat, folosind cel pe care îl am în proxy-ul meu invers nginx.

Am încercat mai multe opțiuni pe care le primesc întotdeauna „NET::ERR_SSL_OBSOLETE_VERSION”

Client Chrome activat (172.20.1.4)

Proxy (Nginx pe srv-nginx-a.metrotel.local -192.168.151.112)

Backend (prov.metrotel.com.ar) 192.168.59.20

tcpdump: ieșirea verbosă a fost suprimată, utilizați -v sau -vv pentru decodarea completă a protocolului
ascultare pe ens192, tip link EN10MB (Ethernet), dimensiunea capturii 262144 octeți

11:50:59.260014 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [S], seq 979144705, win 29200, options [mss 1460,nop,nop,nop,nop,nop ], lungime 0

11:50:59.260165 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [S.], seq 3107298579, ack 979144706, win 2920.1.4.19710, options, options [S.] nop,wscale 7], lungime 0

11:50:59.260397 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1, win 1825, length 0

11:50:59.282128 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1:536, ack 1, win 1825, length 535

11:50:59.282204 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 536, win 237, length 0

11:50:59.282659 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1:153, ack 536, win 237, length 152

11:50:59.282869 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 153, win 1892, length 0

11:50:59.293101 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 536:587, ack 153, win 1892, length 51

11:50:59.332644 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 587, win 237, length 0

11:50:59.332935 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 587:1300, ack 153, win 1892, length 713

11:50:59.332967 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Steaguri [.], ack 1300, câștig 248, lungime 0

11:50:59.333185 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [S], seq 1924765737, win 29200, options [mss 1460, TS val,sa 
180831520 ecr 0,nop,wscale 7], lungime 0

11:50:59.333584 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [S.], seq 4244116336, ack 1924765738, win 56mscs3, opțiuni [560385833, valscrck] 180831520,nop,wscale 7], lungime 0

11:50:59.333605 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831521 ecr]828388

11:50:59.333639 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831521 ecr 3558238853], lungime 756: HTTP: GET / HTTP/1.0

11:50:59.333915 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 51280]

11:50:59.334144 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3854582 ecr 180831521], lungime 519: HTTP: HTTP/1.1 302 găsit

11:50:59.334157 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831521 ec]

11:50:59.334169 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 81385 ecr 38584 ], lungime 0

11:50:59.334236 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831521 ecr 3558238854], lungime 0

11:50:59.334272 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 153:1048, ack 1300, win 248, length 895

11:50:59.334438 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: 
Steaguri [.], confirmare 758, câștig 58, opțiuni [nop,nop,TS val 3558238854 ecr 180831521], lungime 0

11:50:59.373720 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1048, win 2004, length 0

11:50:59.407267 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1300:2013, ack 1048, win 2004, length 713

11:50:59.407531 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1468.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1460.59.20.http: wscale 7], lungime 0

11:50:59.407867 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [S.], seq 2604868674, ack 3919551833, win 56ms9551833, options [5604868674], win 56ms958933, opțiuni [57828993, valdrscrck] 180831594,nop,wscale 7], lungime 0

11:50:59.407897 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831595 ecr]828 390 ecr

11:50:59.407950 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831595 ecr 3558238928], lungime 756: HTTP: GET / HTTP/1.0

11:50:59.408211 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 50 928 ecr]

11:50:59.408605 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 392582 ecr 180831595], lungime 519: HTTP: HTTP/1.1 302 găsit

11:50:59.408627 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831596 ecr 385823]

11:50:59.408642 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 81385 ecr 3928 ], lungime 0

11:50:59.408711 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831596 ecr 3558238928], lungime 0

11:50:59.408748 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1048:1943, ack 2013, win 259, length 895

11:50:59.408974 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238929 ecr 50 929]

11:50:59.408994 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1943, win 2116, length 0

Încercați să activați TLS1.2 și 1.3 adăugând ssl_protocols TLSv1.2 TLSv1.3; pentru dumneavoastră Server secțiune, așa:

Server {
    asculta 80;
    server_name provision.metrotel.com.ar;
    return 301 https://provision.metrotel.com.ar$request_uri;
    ssl_protocols TLSv1.2 TLSv1.3;
}

Pe wireshark pcap Conexiunea dintre Client (Chrome) și Proxy (Nginx) este TLS 1.2. Cealaltă parte (vechiul TLS Nginx-Apache) este doar HTTP. Proxy-ul funcționează OK, nu există nicio conexiune între Client și Server, proxy-ul este întotdeauna la mijloc.