Nginx - Upstream SSL - peer closed connection in SSL handshake

15
votes

I am getting this error:

Error frontend: 502 Bad gateway

99.110.244:443

2017/09/28 13:03:51 [error] 34080#34080: *1062 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: 10.210.0.81, server: webshop.domain.be, request: "GET / HTTP/1.1", upstream: "https://10.1.10.61:443/", host: "webshop.domain.be"

Config:

        # Zone voor connection logging
        limit_conn_zone $binary_remote_addr zone=izSSL_webshop-api_CZ:10m;

        # Zone voor rate logging
        # Hoge rate limit.  x r/s is soms wat snel
        # 10 MB (10m) will give us enough space to store a history of 160k requests.
        limit_req_zone $binary_remote_addr zone=izSSL_webshop-api_RZ:10m rate=20r/s;


upstream webshop_domain_be {
        server webshop.domain.be:443;
}


server {
        listen       443 ssl;
        server_name  webshop.domain.be webshop;

        client_max_body_size 80M;

        ssl_session_cache    shared:webshopSSL:1m;
        ssl_session_timeout  10m;
        ssl_certificate /var/www/certs/webshop.domain.be/webshop.domain.be-chain.pem;
        ssl_certificate_key /var/www/certs/webshop.domain.be/webshop.domain.be-key.pem;
        ssl_verify_client off;
        ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;


        location / {

                proxy_ssl_session_reuse off;
                proxy_pass $scheme://webshop_domain_be;

        }
}

nginx version: nginx/1.10.3 (Ubuntu)

Other server (10.1.10.61) is an IIS Server with the same certificate as I'm using in this proxy (correct?). It's not an IIS problem; and the proxy server can reach 10.1.10.61 / port 443

Config based on https://serverfault.com/questions/583374/configure-nginx-as-reverse-proxy-with-upstream-ssl

I am using Let's Encrypt certificates.

6
sslnginx
Try adding proxy_ssl_server_name on; to your proxy_pass block and see if it helpsTarun Lalwani
Tried it, but doesn't work either. Thanks though.Jeffrey
How come both names are webshop.domain.be ?Tarun Lalwani
Oh, yes, it's something stupid, but the vendor specifically asked it to be that way rather than the IP. Anyhow, even with IP it makes no difference. (the trick is: the proxy server is known as this name in all our DNS records, but in /etc/hosts of the proxy it is overruled and refers to the other one)Jeffrey
Try changing webshop.domain.be:443 to the actual ip. And use proxy_ssl_name "webshop.domain.be". If that doesn't work try adding proxy_ssl_server_name on; as wellTarun Lalwani

6 Answers

22
votes

Adding this line after the proxy_pass worked for me.

proxy_ssl_server_name on;

Before that I did this from here

In REDHAT 7/ CentOS 7/ Oracle Linux 7: Install the certificate in your enviroment.

  1. Download Active PEM certificate from: https://letsencrypt.org/certificates/ in /etc/pki/ca-trust/source/anchors
  2. Execute: sudo update-ca-trust

Not sure if those last 2 steps needed, but doing both worked for me.

Cheers,

6
votes

I had had this issue and I had to this to my location block

proxy_ssl_name your.proxiedserver.name; proxy_ssl_server_name on;

2
votes

Change your upstream to use the IP

upstream webshop_domain_be {
        server <IP>:443;
}

And then change your proxy_pass block to

location / {
   proxy_ssl_session_reuse off;
   proxy_ssl_server_name "webshop.domain.be";
   proxy_pass $scheme://webshop_domain_be;
}

If the above doesn't work then add proxy_ssl_server_name on; also to the config

0
votes

To improve the other answer I would say that

upstream is really important

For simple redirect from one domain into another just use this:

http {
....
upstream someserver {
        server your.domain.name.com:443;
}

location / {
   proxy_pass https://someserver;
}

}
0
votes

i use this @nginx 

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_buffer_size 4k;

with 

grep worker_processes /etc/nginx/nginx.conf
worker_processes auto; <<<-- auto not the default value "1"
0
votes

Here is what worked for me. I had a server section with server_name setup with a wildcard search and had to do the following in the location section:

proxy_ssl_name $host;
proxy_ssl_server_name on;
proxy_pass https://istio-ingress-gateway