Unable to proxy pass to https backend on nginx

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to proxy pass to https backend on nginx

zakirenish
I am unable to reverse proxy to my https backend. what am i doing wrong? I
am using the same set of cert for the backend and frontend as I am running
them both on the same machine. I got my certificates from zerossl. Here is
the error I get :

curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru

 <html>
 <head><title>502 Bad Gateway</title></head>
   <body>
   <center><h1>502 Bad Gateway</h1></center>
   <hr><center>nginx/1.16.1</center>
   </body>
 </html>
In my /var/log/nginx/error.log I get this:

2020/09/06 01:50:53 [error] 2603#0: *4 upstream SSL certificate verify
error: (2:unable to get > issuer certificate) while SSL handshaking to
upstream, client: 192.168.103.15, server: www.ravi.guru, request: "GET /
HTTP/1.1", upstream: "https://192.168.103.15:8080/", host: "www.ravi.guru"

When I connect to backend directly, all goes well:

curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru:8080

hi


my index.html is a file with an entry "hi"

===============
Here is my config file
===============


  server {
    listen 443 http2  ssl;
    server_name www.ravi.guru;
    ssl_certificate /etc/ssl/certs/certificate.crt;
    ssl_certificate_key /etc/ssl/private/private.key;
    ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             HIGH:!aNULL:!MD5;


    location / {
        proxy_pass                    <a href="https://www.ravi.guru:8080;">https://www.ravi.guru:8080;
        proxy_ssl_certificate         /etc/ssl/certs/certificate.crt;
        proxy_ssl_certificate_key     /etc/ssl/private/private.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
        proxy_ssl_verify        on;
        proxy_ssl_verify_depth  2;
        proxy_ssl_session_reuse on;
    }
}
server {
listen 8080 http2 ssl;
#listen [::]:443 http2 ssl;

server_name www.ravi.guru;

ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers             HIGH:!aNULL:!MD5;
root /var/www/ravi.guru/html;

index index.html index.htm index.nginx-debian.html;
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289329,289329#msg-289329

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Unable to proxy pass to https backend on nginx

Thomas Ward
Bad Gateway indicates the backend you are sending to is not valid in some way - check the nginx error.log output to see what happened when trying to send it to your proxypass'd backend


From: ravansh
Sent: Sun Sep 06 10:15:28 EDT 2020
To: [hidden email]
Subject: Unable to proxy pass to https backend on nginx

I am unable to reverse proxy to my https backend. what am i doing wrong? I
am using the same set of cert for the backend and frontend as I am running
them both on the same machine. I got my certificates from zerossl. Here is
the error I get :

curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>
In my /var/log/nginx/error.log I get this:

2020/09/06 01:50:53 [error] 2603#0: *4 upstream SSL certificate verify
error: (2:unable to get > issuer certificate) while SSL handshaking to
upstream, client: 192.168.103.15, server: www.ravi.guru, request: "GET /
HTTP/1.1", upstream: "https://192.168.103.15:8080/", host: "www.ravi.guru"

When I connect to backend directly, all goes well:

curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru:8080

hi


my index.html is a file with an entry "hi"

===============
Here is my config file
===============


server {
listen 443 http2 ssl;
server_name www.ravi.guru;
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;


location / {
proxy_pass https://www.ravi.guru:8080;
proxy_ssl_certificate /etc/ssl/certs/certificate.crt;
proxy_ssl_certificate_key /etc/ssl/private/private.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
server {
listen 8080 http2 ssl;
#listen [::]:443 http2 ssl;

server_name www.ravi.guru;

ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
root /var/www/ravi.guru/html;

index index.html index.htm index.nginx-debian.html;
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289329,289329#msg-289329



nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Unable to proxy pass to https backend on nginx

Maxim Dounin
In reply to this post by zakirenish
Hello!

On Sun, Sep 06, 2020 at 10:15:28AM -0400, ravansh wrote:

> I am unable to reverse proxy to my https backend. what am i doing wrong? I
> am using the same set of cert for the backend and frontend as I am running
> them both on the same machine. I got my certificates from zerossl. Here is
> the error I get :
>
> curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru
>
>  <html>
>  <head><title>502 Bad Gateway</title></head>
>    <body>
>    <center><h1>502 Bad Gateway</h1></center>
>    <hr><center>nginx/1.16.1</center>
>    </body>
>  </html>
> In my /var/log/nginx/error.log I get this:
>
> 2020/09/06 01:50:53 [error] 2603#0: *4 upstream SSL certificate verify
> error: (2:unable to get > issuer certificate) while SSL handshaking to
> upstream, client: 192.168.103.15, server: www.ravi.guru, request: "GET /
> HTTP/1.1", upstream: "https://192.168.103.15:8080/", host: "www.ravi.guru"
>
> When I connect to backend directly, all goes well:
>
> curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru:8080

Are there any other virtual servers on the port 8080?  If yes, you
may want to switch on SNI in connections to upstream servers using
the proxy_ssl_server_name directive, see here for details:

http://nginx.org/r/proxy_ssl_server_name

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Unable to proxy pass to https backend on nginx

Francis Daly
In reply to this post by zakirenish
On Sun, Sep 06, 2020 at 10:15:28AM -0400, ravansh wrote:

Hi there,

> I am unable to reverse proxy to my https backend. what am i doing wrong? I
> am using the same set of cert for the backend and frontend as I am running
> them both on the same machine. I got my certificates from zerossl. Here is
> the error I get :
>
> curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru

That response says that curl-client does accept the ssl-negotiation
with your port-443 nginx server when it knows to trust the ca_bundle.crt
contents.

> 2020/09/06 01:50:53 [error] 2603#0: *4 upstream SSL certificate verify
> error: (2:unable to get > issuer certificate) while SSL handshaking to
> upstream, client: 192.168.103.15, server: www.ravi.guru, request: "GET /
> HTTP/1.1", upstream: "https://192.168.103.15:8080/", host: "www.ravi.guru"

That log says that nginx-client does not accept the ssl-negotiation with
your port-8080 nginx server.

> When I connect to backend directly, all goes well:
>
> curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru:8080

And that response says that curl-client does accept the ssl-negotiation
with your port-8080 nginx server when it knows to trust the ca_bundle.crt
contents.

> ===============
> Here is my config file
> ===============

As an aside: a lot of these directives are only needed if you are using
client certificates; you don't appear to be, so you can possibly remove
some of these directives for person-clarity.

>   server {
>     listen 443 http2  ssl;
>     server_name www.ravi.guru;

>     location / {
>         proxy_pass                    <a href="https://www.ravi.guru:8080;">https://www.ravi.guru:8080;

>         proxy_ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
>         proxy_ssl_verify        on;
>         proxy_ssl_verify_depth  2;

I guess that one possibility is that the "certificate chain" to be
verified is longer than 2; after you've confirmed that the certificate
file (below) is correct, it might be worth increasing that depth to
whatever your system uses.

>     }
> }
> server {
> listen 8080 http2 ssl;
> #listen [::]:443 http2 ssl;
>
> server_name www.ravi.guru;
>
> ssl_certificate /etc/ssl/certs/certificate.crt;

Does "grep CERT /etc/ssl/certs/certificate.crt" show one BEGIN/END pair,
or more than one?

As in -- does that file hold just the this-server certificate, or does
it also hold the full chain back to the root?

(If it does not hold the full chain, I guess it is possible that
curl-client and nginx-client can have different behaviours.)

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx