ERR_SSL_PROTOCOL_ERROR with Nginx reverse proxy


#1

Hi everyone, im pretty new to this community and i have troubles setting up letsEncrypt.

The installation I have can be resumed as, a server in entry with nginx acting as a reverse proxy, forwarding requests to the right web server. All the servers are in a lan (192.168.12.0/24), and a router forward all the :80 and :443 requests to the proxy :

server {
       listen 80;
       server_name fr.dorianjolivald.com;
       location / {
                proxy_pass http://192.168.12.8:80/;		
                proxy_set_header    Host            $host;
                proxy_set_header    X-Real-IP       $remote_addr;
                proxy_set_header    X-Forwarded-for $remote_addr;
                port_in_redirect off;
                proxy_redirect   off;
       }
}
server {
       listen 443;
       server_name fr.dorianjolivald.com;
       location / {
                proxy_pass https://192.168.12.8:443/;		
                proxy_set_header    Host            $host;
                proxy_set_header    X-Real-IP       $remote_addr;
                proxy_set_header    X-Forwarded-for $remote_addr;
                port_in_redirect off;
                proxy_redirect   off;
       }
}

Then, on the web server 192.168.12.8, i have LetsEncrypt:

server {
       listen 80;
       server_name fr.dorianjolivald.com;
       root /var/www/dorianjolivald.com/fr;
       index index.html;
       error_page 405 =200 $uri;
        location ~ \.php$ {
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

server {
    listen 443 ssl;
    server_name fr.dorianjolivald.com;
    root /var/www/dorianjolivald.com/fr;
    index index.html;
    error_page 405 =200 $uri;

    ssl_certificate /etc/letsencrypt/live/fr.dorianjolivald.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fr.dorianjolivald.com/privkey.pem;

    location ~ \.php {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

For now i still have the http configuration, i intend to redirect to https as soon as it will work.
The thing is, with this configuration i have a ERR_SSL_PROTOCOL_ERROR, and i cant fiugure a way out of this, if you can help me! :smiley:
Thank you!

PS : The website is online, you can check by yourself


#2

Move actual SSL configuration to your reverse proxy and proxy pass to http for both blocks.


#3

So a proxy_pass to http on port 80? So that on the “real” web server you don’t use the port 443 and ssl?
Edit : Still the same error :confused:


#4

You’ll need to add the Let’s Encrypt certificates to your nginx HTTPS server block.

Now you say to nginx: “Listen on port 443 but treat everything that comes through as plain text! No TLS here!” Proof: surf to http://fr.dorianjolivald.com:443/ (i.e., HTTP [without the S!] on port 443). It shows you the webpage, but no TLS is used… And it works!

nginx will act like an end-point for clients/browsers connecting to it. It isn’t a transparant “pass-through” thing, it involves two TCP connections. One: between the user somewhere on the internet and your nginx (as a server). Two: between your nginx proxy (as a client) and the back-end server.


#5

Okay, I see your point here. But, I don’t know why the http is authorized on the port 443…
I changed my proxy configuration as @leader indicated me :

server {
    listen 443 ssl;
    server_name fr.dorianjolivald.com;

    ssl_certificate /etc/letsencrypt/live/fr.dorianjolivald.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fr.dorianjolivald.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSV1.2;

    location / {
        proxy_pass http://192.168.12.8:80/;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-for $remote_addr;
        port_in_redirect off;
        proxy_redirect   off;
    }
}

So encryption between the client and the proxy, no encryption between the proxy and the server.
I tried proxy_pass https://192.168.12.8:443/; and proxy_pass http://192.168.12.8:443/; as well but it gives exactly the same thing (can access to http/443 but not https/443).

While reading the access logs of nginx, I noticed the backend server is recieving only the non-encrypted (http/443 or 80) requests, I can see logs for the encrypted ones (https/443) only on the proxy server.

Two things, I don’t know why http on the port 443 works, neither why the request is not sent to the backend server when it is encrypted…

PS : The certificates present on the Proxy server are copied from the webserver, as the webroot is on the webserver i think I cant generate the certificates directly on the proxy server.


#6

Start with basic diagnostics. On your proxy ensure that you have copied certificates in the right place and restarted nginx, also check the logs to see if there is an indication of any issues with SSL. Something like below on your proxy might just work (you can add protocols, ciphers and other custom directives later):

upstream backend {
    server 192.168.12.8;
}

server {
    listen 443 ssl;
    server_name fr.dorianjolivald.com;
    ssl_certificate /etc/letsencrypt/live/fr.dorianjolivald.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fr.dorianjolivald.com/privkey.pem;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

NB: You can use the same server block for both 80 and 443 by specifying two “listen” directives, to make configuration less cluttered.

Also if you are modifying X-Forwarded-For, you should preserve its original values too, which is achieved by using “$proxy_add_x_forwarded_for”. Finally, I’m not entirely sure why in your configuration you need that proxy, considering that everything gets forwarded to yet another single nginx - you might want to eliminate that from the equation or, if the proxy is really required, replace that with HAProxy (which can also be used for SSL termination).

P.S. On a side note - are you absolutely sure you are using a recent enough version of Nginx as your proxy? Originally HTTPS configuration required “ssl on” directive and it was later that it’s been recommended to use “listen 443 ssl” instead.


#7

This website is just a basic bloc of the server architecture, I need a reverse proxy. I knew Nginx could handle it, this is why I use it, I didn’t know about HAProxy, I’ll look into it, thank you.

I was searching for the wrong problem, my router was misconfigured, https works!
Thank you!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.