2

I am struggling on this problem for 2-3 days now. My problem is : I get "SSL_do_handshake() failed" when doing proxy_pass from one reverse proxy to another.

I have a setup that looks like that :

gcp VM 1 containers :
- nginx reverse proxy 1
- acme companion for ssl
- frontend website (local nginx)

gcp VM 2 containers :
- nginx reverse proxy 2
- acme companion for ssl
- backend nodejs

DNS server is done by cloudflare :
- frontend.website.com : "gcp VM 1" IP adress
- backend.nodejs.com : "gcp VM 2" IP adress

To avoid CORS error, "frontend.website.com" make requests to "frontend.website.com/api". "nginx reverse proxy 1" has this configuration to redirect to backend :

location /api {
  proxy_pass https://backend.nodejs.com/api;
}

The error I get in the "nginx reverse proxy 1" logs :

nginx.1     | 2021/10/22 11:10:53 [error] 283#283: *11287 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://172.67.155.25:443/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
nginx.1     | 2021/10/22 11:10:53 [warn] 283#283: *11287 upstream server temporarily disabled while SSL handshaking to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://172.67.155.25:443/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
nginx.1     | 2021/10/22 11:10:53 [error] 283#283: *11287 no live upstreams while connecting to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://backend.nodejs.com/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"

Note : IP in error log 172.67.155.25:443 is not gcp VM 1 or 2 IP, I assume it's a Cloudflare IP?

Things that I already tried :

  • check SSL certs, they are okay on both sides.
  • proxy_pass to http instead of https, its raises other problems.
  • I already tried proxy_ssl_server_name on; (taken from here). Cloudflare returned a 403 forbidden with :
DNS points to prohibited IP
What happened?

You've requested a page on a website (frontend.website.com) that is on the Cloudflare network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare's system.

What can I do?

If you are the owner of this website:
you should login to Cloudflare and change the DNS A records for frontend.website.com to resolve to a different IP address.

The thing is the DNS A records for frontend.website.com is good (other app are using it without problem)

I feel like there shoud be ssl handshake to "backend.nodejs.com/api" but according to the error log, it tries to do it to the cloudflare IP address instead (here 172.67.155.25:443 but different each time)

Am I missing something here ? What can the problem be ?

If you need any additionnal info do not hesitate to ask for it.

Barrelsrider
  • 23
  • 3

0 Answers0