CODEWITHSUNDEEP
sslnginxhttps
Pavel
Pavel

Reputation: 4227

Nginx upstream to https host - ssl3_get_record:wrong version number

I am trying to proxy requests to a remote server, this is how I configure my Nginx

upstream myupstream {
  server remote-hostname;
}

...

location ~ ^/(v1|v2|v3)/.*$ {

    proxy_pass https://myupstream;

    # also tried these options:
    # proxy_ssl_server_name on;
    # proxy_ssl_verify off;
    # proxy_set_header Host <remote-hostname-here>;
    # proxy_set_header X_FORWARDED_PROTO https;
}

As a result I see error 502 page and this record in error.log

2018/11/10 19:41:38 [error] 8410#8410: *1 SSL_do_handshake() failed 
(SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) 
while SSL handshaking to upstream, client: 127.0.0.1, server: <my-web-host-here>, 
request: "GET /v1/some/page HTTP/1.1", 
upstream: "https://<my-web-host-ip-here>:80/v1/some/page", 
host: "<my-web-host-here>"

What could cause this?

Note: This nginx proxy is on my local machine.

Upvotes: 26

Views: 66549

Answers (3)

KJ7LNW
KJ7LNW

Reputation: 1921

In our case to proxy old CentOS repositories we had to fix SNI for the upstream so the CDN knows where to route the request:

location / {
    proxy_pass      https://vault.centos.org:443;
    proxy_ssl_name vault.centos.org;
    proxy_ssl_server_name on;
}

Upvotes: 1

Jinlxz Liu
Jinlxz Liu

Reputation: 463

I also met this issue and it took me 2 days to fix it.

Steffen is correct, incorrect port in upstream can cause this problem, but in my case the upstream port is correct, I have the following configuration.

location / {
            proxy_pass $scheme://$host:$server_port;
}

I found that the upstream is always resolved to IP address in error log file, instead of domain name, this can cause the same issue if the upstream is running multiple servers/domains with the same IP, I added the following directive in the configuration to force that upstream is always resolved to FQDN.

        proxy_ssl_server_name on;

the issue was gone after this change.

Upvotes: 22

Steffen Ullrich
Steffen Ullrich

Reputation: 123461

upstream: "https://<my-web-host-ip-here>:80/v1/some/page",

It is not really clear to me what you are trying to achieve. But it is very unlikely that you have a HTTPS server on port 80. Port 80 is commonly used by HTTP not HTTPS. Trying to access it by HTTPS will usually result in a HTTP error response by the server which, when interpreted as the expected TLS handshake response, will result in strange error messages like ssl3_get_record:wrong version number.

Upvotes: 20

Related Questions