Nginx reverse proxy error:14077438:SSL SSL_do_handshake() failed

Question

So i am using following settings to create one reverse proxy for site as below.

  server {
     listen 80;
     server_name mysite.com;
     access_log  /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log;
     root /home/ubuntu/p3;
   location / {
     proxy_pass  https://mysiter.com/;
     proxy_redirect  https://mysiter.com/ $host;
     proxy_set_header Accept-Encoding "";
    }
  }

But getting BAD GATE WAY 502 error and below is the log.

2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"
2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"

Any help will be greatly appreciated.

score 73 · Accepted Answer · answered Mar 05 '18 at 18:05

Seeing the exact same error on Nginx 1.9.0 and it looks like it was caused by the HTTPS endpoint using SNI.

Adding this to the proxy location fixed it:

proxy_ssl_server_name on;

score 7 · Answer 2 · answered Aug 15 '16 at 14:47

There are a couple of oddities with your configuration. Firstly what are you proxying to? Do you have another server block with server name mysiter.com listening on port 443 which serves the app? If yes, then what you want here is a 301 redirect to your 443 block. If not, then the proxy will land up in the same location block, forming a loop (because you haven't specified a different port).

The error that you posted is because your upstream doesn't have a certificate to offload the SSL. To solve this, you need to change your proxy_pass directive to plain HTTP.

proxy_pass  http://mysiter.com/;

Or you'll need to provide a certificate for the backend server to use.

Check out the docs for more info. This blog might also be of use.

Thank you for your answer - using just `http` instead of a second `https` in the proxy_pass parameter does it for me. I already had the `proxy_ssl_server_name on` — lorem monkey, Jan 17 '23 at 17:02

Nginx reverse proxy error:14077438:SSL SSL_do_handshake() failed

2 Answers2

Linked