Reputation: 1315
nginx error message - what does "peer" refer to?
In order to debug an nginx error case, I need to fully understand an error log message first. Our nginx writes the particular error log message from time to time.
Log message
"peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream".
What is meant by "peer"?
I would like to know: Does "peer" refer to the upstream, meaning that the upstream closed the connection during ssl handshake, or does it refer to the client, meaning that the client closed connection while the load balancer and the webserver was internally during a handshake?
Setup
- nginx loadbalancer
- 2 webservers (upstreams) running IIS8
- Ssl provider: Comodo
Upvotes: 7
Views: 8108
Answers (3)
Reputation: 1315
After many hours of debugging we finally found the actual cause of the issue. The error message was produced by a client requesting the nginx without a domain, e.g. https://11.22.33.44/robots.txt. Nginx then forwarded the request to an IIS-server which did not have any default websites bound to https for ip-alone-requests.
The conclusion for the original question is then, that "peer" actually DOES refer to the upstream (the IIS), as the IIS is the one cutting the connection.
The solution we chose to this problem to not get this error in nginx and hereby avoid exposure for clients to send all servers in "down"-mode is to configure the nginx to deny these requests by itself. Another possible solution was to ensure that the IIS behaved nicely for these requests.
Upvotes: 0
Reputation: 12785
Your issue might be to do with the order you have concatenated the Comodo .bundle file with your site cert.
You need to place the bundle file after the site cert.
Click this link for more details
EDIT
The peer has to be something on the same "level" as Nginx which, as your issues are related to SSL, has to be OpenSSL.
I would hazard a guess that your OS is Ubuntu 12.x and that OpenSSL is 1.0.1. If so, then the issue is most likely related to an Ubuntu bug.
Seems you either need to upgrade to Ubuntu 13.04 or disable TLS 1.1.
Click this link for more details
Whatever the case, the peer is not the upstream.
Upvotes: 1
Reputation: 1503
Peer refers to upstream in this case. Just because if we take that peer is a client, that would mean that two SSL handshakes (Client -> nginx, nginx -> upstream) happen simultaneously, which doesn't make sense - client have to establish connection and send a query, and only then nginx can choose appropriate upstream to connect to
Upvotes: 6
Related Questions
- Server sent fatal alert: handshake_failure
- Nginx - Upstream SSL - peer closed connection in SSL handshake
- Nginx peer closed connection in SSL handshake while SSL handshaking
- Nginx - SSL handshake error when connecting to upstream with self signed certificate
- Handshake failure when requesting nginx server in https protocol
- SSL Handshake fail in Nginx Server
- nginx critical error with SSL handshaking
- Nginx SSL Handshake Error
- intermittent SSL handshake error nginx
- node.js and nginx SSL handshake failure