CODEWITHSUNDEEP
nginxsslnginx-reverse-proxycaddy
xeruf
xeruf

Reputation: 3010

Nginx Bad Gateway when proxying Caddy

I use nginx as a NAT from IPv4 to IPv6, meaning it proxies servers that already have SSL configured. This usually works, but it seems to have issues if caddy is upstream. I see the following in the nginx logs:

2022/09/29 00:01:22 [error] 231367#231367: *1098403 SSL_do_handshake() failed (SSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:SSL alert number 80) while SSL handshaking to upstream, client: CLIENT_IP, server: DOMAIN, request: "GET / HTTP/2.0", upstream: "https://UPSTREAM_IPV6:443/", host: "DOMAIN"

For caddy:

Sep 29 00:27:37 cat caddy[450]: {"level":"debug","ts":1664404057.3207386,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote":"[NAT_IPV6]:40410","identifier":"UPSTREAM_IPV6","cipher_suites":[49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0007,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false} Sep 29 00:27:37 cat caddy[450]: {"level":"debug","ts":1664404057.3210196,"logger":"http.stdlib","msg":"http: TLS handshake error from [NAT_IPV6]:40410: no certificate available for 'UPSTREAM_IPV6'"}

nginx config:

server {
    listen 443;
    server_name DOMAIN;
    location / {
        proxy_pass_header Authorization;
        proxy_pass https://UPSTREAM_IPV6;
        proxy_ssl_verify off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header 'Access-Control-Allow-Origin' '*';
        proxy_http_version 1.1;
        proxy_set_header Connection “”;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
    }
    ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

nginx version: nginx/1.18.0

caddy version: v2.5.2

It seems to me that either nginx is not correctly forwarding the host, or caddy does not recognize it properly, as it seems to search for a certificate of its own IP.

Upvotes: 2

Views: 777

Answers (1)

alleen1
alleen1

Reputation: 438

This did the trick for me:

location / {
    proxy_pass https://server2.example.com;
    proxy_set_header Host $host;
    proxy_ssl_name $host;
    proxy_ssl_server_name on;
    proxy_ssl_session_reuse off;
    ...
}

Answer taken from here.

Upvotes: 2

Related Questions