Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Nginx reverse proxy error:14077438:SSL SSL_do_handshake() failed

Tags:

nginx

reverse-proxy

proxy

ssl

So i am using following settings to create one reverse proxy for site as below. 

  server {
     listen 80;
     server_name mysite.com;
     access_log  /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log;
     root /home/ubuntu/p3;
   location / {
     proxy_pass  https://mysiter.com/;
     proxy_redirect  https://mysiter.com/ $host;
     proxy_set_header Accept-Encoding "";
    }
  }

But getting BAD GATE WAY 502 error and below is the log.

2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"
2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"

Any help will be greatly appreciated.

like image 405
Muaaz Rafi Avatar asked Aug 13 '16 09:08

Muaaz Rafi

2 Answers

Seeing the exact same error on Nginx 1.9.0 and it looks like it was caused by the HTTPS endpoint using SNI.

Adding this to the proxy location fixed it:

proxy_ssl_server_name on;

  • https://en.wikipedia.org/wiki/Server_Name_Indication
  • http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name
like image 191
Gunchars Avatar answered Oct 10 '22 23:10

Gunchars

There are a couple of oddities with your configuration. Firstly what are you proxying to? Do you have another server block with server name mysiter.com listening on port 443 which serves the app? If yes, then what you want here is a 301 redirect to your 443 block. If not, then the proxy will land up in the same location block, forming a loop (because you haven't specified a different port).

The error that you posted is because your upstream doesn't have a certificate to offload the SSL. To solve this, you need to change your proxy_pass directive to plain HTTP.

proxy_pass  http://mysiter.com/;

Or you'll need to provide a certificate for the backend server to use.

Check out the docs for more info. This blog might also be of use.

like image 32
Keenan Lawrence Avatar answered Oct 10 '22 21:10

Keenan Lawrence
Sign in to Comment

Related questions

Chrome says SSL invalid, but certificate is valid
AWS Java SDK SSL Certificates
Verify hostname of the server who invoked the API
Pip SSLError WRONG_VERSION_NUMBER under proxy
Github - TLS certificate verification has been disabled! on Windows
Cannot reach SSL IP when in docker container over bridge. Getting SSL_ERROR_SYSCALL
MySQL Workbench SSL connection error: SSL is required but the server doesn't support it
Problem with NSStream SSL Connection
iPhone - SSL connection
SSL HandShake on Java Client
PyQt + QtWebkit behind a proxy
AS3: Sockets & HTTPS/SSL
OpenSSL Verify Peer (Client) Certificate in C++
Trouble using a SSL certificate: 'self signed certificate in certificate chain'
Security exception while using wsimport
KeyTool error : java.lang.Exception : Alias does not exist
nginx proxy based on host when using https
How to add multiple truststore paths to “java.net.ssl.trustStore”?
Can't find the openssl.cnf file on my mac
Whats an easy way to totally ignore ssl with java url connections?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!