Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Nginx reverse proxy error:14077438:SSL SSL_do_handshake() failed

So i am using following settings to create one reverse proxy for site as below.

  server {
     listen 80;
     server_name mysite.com;
     access_log  /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log;
     root /home/ubuntu/p3;
   location / {
     proxy_pass  https://mysiter.com/;
     proxy_redirect  https://mysiter.com/ $host;
     proxy_set_header Accept-Encoding "";
    }
  }

But getting BAD GATE WAY 502 error and below is the log.

2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"
2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"

Any help will be greatly appreciated.

like image 405
Muaaz Rafi Avatar asked Aug 13 '16 09:08

Muaaz Rafi


2 Answers

Seeing the exact same error on Nginx 1.9.0 and it looks like it was caused by the HTTPS endpoint using SNI.

Adding this to the proxy location fixed it:

proxy_ssl_server_name on;

  • https://en.wikipedia.org/wiki/Server_Name_Indication
  • http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name
like image 191
Gunchars Avatar answered Oct 10 '22 23:10

Gunchars


There are a couple of oddities with your configuration. Firstly what are you proxying to? Do you have another server block with server name mysiter.com listening on port 443 which serves the app? If yes, then what you want here is a 301 redirect to your 443 block. If not, then the proxy will land up in the same location block, forming a loop (because you haven't specified a different port).

The error that you posted is because your upstream doesn't have a certificate to offload the SSL. To solve this, you need to change your proxy_pass directive to plain HTTP.

proxy_pass  http://mysiter.com/;

Or you'll need to provide a certificate for the backend server to use.

Check out the docs for more info. This blog might also be of use.

like image 32
Keenan Lawrence Avatar answered Oct 10 '22 21:10

Keenan Lawrence