NGINX proxy_pass and upstream SSL certificate
Question
community!
I have a reverse proxy based on NGINX. The idea is to provide my customers with custom domains for my services. For example, the customer will create a CNAME record pointing to my Proxy server: video.mycustomer.com --> mynginxserver.com
Then I generate the SSL certificate (Let'sEncrypt) and create the following Virtual host:
server {
listen 80;
server_name video.mycustomer.com;
access_log /var/log/nginx/$server_name-access.log;
error_log /var/log/nginx/$server_name-error.log;
return 301 https://$server_name$request_uri; # Redirect to https
}
server {
listen 443 ssl http2;
server_name video.mycustomer.com;
access_log /var/log/nginx/$server_name-ssl-access.log;
error_log /var/log/nginx/$server_name-ssl-error.log;
ssl on;
ssl_certificate /etc/letsencrypt/live/video.mycustomer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.mycustomer.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location /.well-known/acme-challenge/ {
root /web/sites/$server_name/www/;
}
location / {
proxy_pass http://myservice.com/channel/cfa-xw88bbxlsd/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
As long as I'm pointing to an HTTP everything works like a charm. But when I try to set the proxy_pass to an HTTPS resource (my resource and I owe the certificate), I'm getting 502 Bad Gateway .
This is what I get from the error.log file:
==> video.mycustomer.com-ssl-error.log <==
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.90:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.79:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.24:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://98.64.64.4:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:2000:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:2000:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:1200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:1200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:c200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:c200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:b200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:b200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:b000:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:b000:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:5200:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:5200:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:4a00:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:4a00:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
2021/10/19 18:56:44 [error] 11316#11316: *1333 connect() to [2600:8000:2153:2600:d:1f52:c300:83b1]:443 failed (101: Network is unreachable) while connecting to upstream, client: 86.79.99.252, server: video.mycustomer.com, request: "GET / HTTP/2.0", upstream: "https://[2600:8000:2153:2600:d:1f52:c300:83b1]:443/", host: "video.mycustomer.com"
I tried to work with:
proxy_ssl_certificate /home/ubuntu/ssl-proxy/pass_cert/client.pem;
proxy_ssl_certificate_key /home/ubuntu/ssl-proxy/pass_cert/client.key;
With no luck.
Any ideas? Thanks in advance, Dan.
1 answers
solution1
0 2021-10-20 12:10:17
This config solved all the issues:
server {
listen 80;
listen [::]:80;
server_name video.mycustomer.com;
access_log /var/log/nginx/video.mycustomer.com-access.log;
error_log /var/log/nginx/video.mycustomer.com-error.log;
return 301 https://video.mycustomer.com$request_uri; # Redirect to https
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name video.mycustomer.com;
access_log /var/log/nginx/video.mycustomer.com-ssl-access.log;
error_log /var/log/nginx/video.mycustomer.com-ssl-error.log;
ssl on;
ssl_certificate /etc/letsencrypt/live/video.mycustomer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.mycustomer.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location /.well-known/acme-challenge/ {
root /web/sites/video.mycustomer.com/www/;
}
location / {
proxy_pass https://myservice.com/channel/cfa-xw88bbxlsd/; #HTTP not HTTPS + add "/" suffix
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
proxy_ssl_server_name on;
proxy_read_timeout 5m;
proxy_set_header Access-Control-Allow-Credentials true;
proxy_set_header Content-Encoding gzip;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
proxy_pass with ssl upstream in nginx
Nginx proxy_pass to a password protected upstream
nginx upstream does not be recognized by proxy_pass
nginx proxy_pass SSL not working
nginx try_files, proxy_pass and upstream
Docker: proxy_pass to another container - nginx: host not found in upstream
Nginx: Get the upstream URI used by proxy_pass
Docker nginx proxy_pass - Upstream connection refused
Nginx proxy_pass failover to multiple upstream servers
NGINX proxy_pass to defined upstream instead of https url directly
Related Tags