0

I currently use nginx as an HTTP->HTTPS proxy. I am trying to modify my nginx config to use an upstream block for the purpose of enabling keepalive connections. However, for some reason using the upstream instead directly writing the address into proxy_pass cause SSL failures. Specifically, the error I am seeing is:

upstream timed out (60: Operation timed out) while SSL handshaking upstream, client: 127.0.0.1, server: localhost, request "GET <path> HTTP/1.1", upstream: "https://<url>", host: "localhost:<port>"

I previously saw a different error where the server was closing the connection, which adding proxy_ssl_server_name on; fixed (was mistakenly left out of the new location block)

Why would using upstream cause SSL timeout failures, when an otherwise identical location block which uses proxy_pass https://<url> instead of proxy_pass https://<upstream-block-name> works?

For reference, a stripped down version of my config:

http {
    upstream testupstream {
        server <server_name>;
        keepalive 64;
    }

    server {
        listen 127.0.0.1:<port>;
        server_name localhost;

        location ~ ^\/upstream\/test\/(?<param>.+){
            resolver <resolver ip>;
            resolver_timeout 2s;
            proxy_pass https://testupstream/$param;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_redirect off;
            proxy_pass_request_headers on;
            proxy_ssl_server_name on;
       }
  
       location ~ ^\/original\/working\/location\/(?<param>.+){
           resolve <resolver ip>;
           resolver_timeout 2s;
           set $domain <server_name>
           proxy_pass https://$domain/$param;
           proxy_redirect off;
           proxy_pass_request_headers on;
           proxy_set_header Connection "";
           proxy_ssl_server_name on;
           proxy_http_version 1.1;
        }
}

requests that get mapped to the second location (/original/working/location/some_param) succeed calling the upstream server with HTTPS, while requests to the first location (/upstream/test/some_param) fail with these SSL handshake issues. What is the difference between these two blocks?

Weirdly, when I first started testing, a few requests succeeded. I tried using a stub_status location to check some things, after which I started seeing hanging requests due to this issue. Removing the stub_status configs and restarting nginx did not resolve the issue.

I have checked logs and determined that DNS resolution is working properly, and was able to call the upstream server directly with curl

Daniel Cullen
  • 1
  • 1

0 Answers0