0

I have a lxc setup here. In one container is the nginx running with a simple html website. In the second container is the nginx reserve proxy running. When I try to open the url https://malte-kiefer.de in the browser, I get this error:

SSL_ERROR_RX_RECORD_TOO_LONG

I check my nginx config on the reverse proxy and there is the ssl in the config:

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name malte-kiefer.de;

    ssl_certificate /etc/nginx/ssl/malte-kiefer.de/fullchain.cer; 
    ssl_certificate_key /etc/nginx/ssl/malte-kiefer.de/privkey.key; 

    location / {
        proxy_pass http://10.242.93.122:80;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
    }
}

When I do a curl on the proxy to the nginx container with my html site I get this, a correct answe HTTP 200:

root@proxy:~# curl -I  http://10.242.93.122:80
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Tue, 14 Jan 2020 04:44:33 GMT
Content-Type: text/html
Content-Length: 2153
Last-Modified: Sat, 07 Dec 2019 04:41:15 GMT
Connection: keep-alive
ETag: "5deb2d6b-869"
Accept-Ranges: bytes

But on my local host I get this:

% curl -I https://malte-kiefer.de                                                                                                                                                               ~
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
[35] % curl -I https://malte-kiefer.de -v                                                                                                                                                       ~
*   Trying 5.252.225.74:443...
* TCP_NODELAY set
*   Trying 2a03:4000:40:e0:c47f:24ff:fe7e:b8ad:443...
* TCP_NODELAY set
* Immediate connect fail for 2a03:4000:40:e0:c47f:24ff:fe7e:b8ad: Das Netzwerk ist nicht erreichbar
* Connected to malte-kiefer.de (5.252.225.74) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

In my nginx error log I found this:

2020/01/14 05:12:14 [info] 161#161: *1 client sent invalid request while reading client request line, client: 127.0.0.1, server: malte-kiefer.de, request: "PROXY TCP4 89.204.135.150 5.252.225.74 10569 443"

beli3ver
  • 363
  • 3
  • 15
  • The server already croaks with a `400 Bad Request` when doing a simple TCP connect to it, i.e. no HTTP request or TLS handshake was even started. This explains the error reported by curl since it gets a plain response instead of a TLS response to a TLS ClientHello. I doubt that the cause of the problem can be seen in the parts of the configuration you currently show. Please show more of the configuration and also look for more messages in your error log, especially which might happen on startup or reconfiguration of the server. – Steffen Ullrich Jan 14 '20 at 06:18
  • which config did you need? – beli3ver Jan 14 '20 at 06:29
  • Since it is unclear where the problem is in your config one would need the full configuration of nginx. Ideally it would be stripped down to a minimal version which still produces this problem. But look first if you find more errors in the nginx error log. – Steffen Ullrich Jan 14 '20 at 06:35
  • ok. I make a complete new setup, new server install same error. here my nginx logs from the proxy: https://haste.tchncs.de/uvelacaqiy.sm here the nginx.conf from the proxy: https://haste.tchncs.de/ezodifadoq.nginx here the client log is empty. my lxc overview https://haste.tchncs.de/vaxomomate.sm and here the lxc port config https://haste.tchncs.de/jutasimeza.sm – beli3ver Jan 14 '20 at 06:48
  • I missed something here the full nginx config from proxy: https://haste.tchncs.de/afetixusor.nginx and here from the website client: https://haste.tchncs.de/guhetojolo.nginx – beli3ver Jan 14 '20 at 07:03
  • 1
    Your setup is not clear for me. It looks like you are not running on nginx but that you are running multiple containers which somehow interact. What you see in the nginx log is a request like `PROXY ...` which is not a valid HTTP request and which I guess is somehow created by the proxy container you have in front of nginx (running haproxy?). So the problem is likely not the nginx but your proxy container or how they interact. If you want nginx to actually use this proxy protocol see https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ – Steffen Ullrich Jan 14 '20 at 07:05
  • you made my day !!! thank you so much. – beli3ver Jan 14 '20 at 07:11

0 Answers0