Nginx trying to connect to upstream with IP and port 443
Why can't I craft scaffolding in Minecraft 1.14?
TV show starring two men who develop various gadgets
What kind of chart is this?
How could I create a situation in which a PC has to make a saving throw or be forced to pet a dog?
Definition of 'vrit'
Is a sequel allowed to start before the end of the first book?
Having some issue with notation in a Hilbert space
How to recover a single blank shot from a film camera
How much steel armor can you wear and still be able to swim?
What is this plant I saw for sale at a Romanian farmer's market?
Justifying Affordable Bespoke Spaceships
What does "vrit' mean with reference to documentaries?
Scaling an object to change its key
Why swap space doesn't get filesystem check at boot time?
Using roof rails to set up hammock
Is this a valid proof that A = B given A ∩ B = A ∪ B?
Build a scale without computer
How do credit card companies know what type of business I'm paying for?
Automatically open a terminal window and run a command, robustly
Weird thing in 737 cabin
Boundaries and Buddhism
Why do you need to heat the pan before heating the olive oil?
Bent arrow under a node
How to write a nice frame challenge?
Nginx trying to connect to upstream with IP and port 443
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to redirect my domain to another domain but keeping my domain in the URL.
This is my settings:
server
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
root /home/redacted/redacted/wwwdir;
# SSL
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# reverse proxy
location /
proxy_pass https://example2.com/ID/;
# Block google
location = /robots.txt
add_header Content-Type text/plain;
return 200 "User-agent: *nDisallow: /n";
# HTTP redirect
server
listen 80;
listen [::]:80;
server_name .example.com;
location /
return 301 https://example.com$request_uri;
But I'm seeing errors like this in my logs:
2019/05/31 18:35:48 [crit] 14831#14831: *2415 SSL_do_handshake() failed (SSL: error:14090072:SSL routines:SSL3_GET_SERVER_CERTIFICATE:bad message type) while SSL handshaking to upstream, client: IP, server: example.com, request: "GET /templates/js/jquery.nestable.js HTTP/1.1", upstream: "https://IP:443/ID/templates/js/jquery.nestable.js", host: "example.com", referrer: "https://example.com/admin/index.php"
I think the issue here is upstream:"https://IP:443/ID/templates/js/jquery.nestable.js"
Why is using IP:443 here?
nginx
asked Jun 1 at 1:26
FreedoFreedo
1065
|
show 6 more comments
I'm trying to redirect my domain to another domain but keeping my domain in the URL.
This is my settings:
server
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
root /home/redacted/redacted/wwwdir;
# SSL
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# reverse proxy
location /
proxy_pass https://example2.com/ID/;
# Block google
location = /robots.txt
add_header Content-Type text/plain;
return 200 "User-agent: *nDisallow: /n";
# HTTP redirect
server
listen 80;
listen [::]:80;
server_name .example.com;
location /
return 301 https://example.com$request_uri;
But I'm seeing errors like this in my logs:
2019/05/31 18:35:48 [crit] 14831#14831: *2415 SSL_do_handshake() failed (SSL: error:14090072:SSL routines:SSL3_GET_SERVER_CERTIFICATE:bad message type) while SSL handshaking to upstream, client: IP, server: example.com, request: "GET /templates/js/jquery.nestable.js HTTP/1.1", upstream: "https://IP:443/ID/templates/js/jquery.nestable.js", host: "example.com", referrer: "https://example.com/admin/index.php"
I think the issue here is upstream:"https://IP:443/ID/templates/js/jquery.nestable.js"
Why is using IP:443 here?
nginx
asked Jun 1 at 1:26
FreedoFreedo
1065
Because port 443 is the default port for https. That doesn't matter though. It is not causing you any problem.
– Michael Hampton♦
Jun 1 at 1:29
What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail
– Freedo
Jun 1 at 1:30
@MichaelHampton What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail. From what I know is not possible to have a valid certificate for a IP, so how do you think ip:443 would pass a handshake?
– Freedo
Jun 1 at 1:39
It's not trying to make an HTTPS connection by IP address, so that's irrelevant. You specified a hostname. Unless of course the configuration you posted is not what you are actually using.
– Michael Hampton♦
Jun 1 at 2:43
@MichaelHampton so why it's giving that error?
– Freedo
Jun 1 at 3:21
|
show 6 more comments
I'm trying to redirect my domain to another domain but keeping my domain in the URL.
This is my settings:
server
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
root /home/redacted/redacted/wwwdir;
# SSL
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# reverse proxy
location /
proxy_pass https://example2.com/ID/;
# Block google
location = /robots.txt
add_header Content-Type text/plain;
return 200 "User-agent: *nDisallow: /n";
# HTTP redirect
server
listen 80;
listen [::]:80;
server_name .example.com;
location /
return 301 https://example.com$request_uri;
But I'm seeing errors like this in my logs:
2019/05/31 18:35:48 [crit] 14831#14831: *2415 SSL_do_handshake() failed (SSL: error:14090072:SSL routines:SSL3_GET_SERVER_CERTIFICATE:bad message type) while SSL handshaking to upstream, client: IP, server: example.com, request: "GET /templates/js/jquery.nestable.js HTTP/1.1", upstream: "https://IP:443/ID/templates/js/jquery.nestable.js", host: "example.com", referrer: "https://example.com/admin/index.php"
I think the issue here is upstream:"https://IP:443/ID/templates/js/jquery.nestable.js"
Why is using IP:443 here?
nginx
asked Jun 1 at 1:26
FreedoFreedo
1065
I'm trying to redirect my domain to another domain but keeping my domain in the URL.
This is my settings:
server
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
root /home/redacted/redacted/wwwdir;
# SSL
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# reverse proxy
location /
proxy_pass https://example2.com/ID/;
# Block google
location = /robots.txt
add_header Content-Type text/plain;
return 200 "User-agent: *nDisallow: /n";
# HTTP redirect
server
listen 80;
listen [::]:80;
server_name .example.com;
location /
return 301 https://example.com$request_uri;
But I'm seeing errors like this in my logs:
2019/05/31 18:35:48 [crit] 14831#14831: *2415 SSL_do_handshake() failed (SSL: error:14090072:SSL routines:SSL3_GET_SERVER_CERTIFICATE:bad message type) while SSL handshaking to upstream, client: IP, server: example.com, request: "GET /templates/js/jquery.nestable.js HTTP/1.1", upstream: "https://IP:443/ID/templates/js/jquery.nestable.js", host: "example.com", referrer: "https://example.com/admin/index.php"
I think the issue here is upstream:"https://IP:443/ID/templates/js/jquery.nestable.js"
Why is using IP:443 here?
nginx
nginx
asked Jun 1 at 1:26
FreedoFreedo
1065
asked Jun 1 at 1:26
FreedoFreedo
1065
asked Jun 1 at 1:26
FreedoFreedo
1065
asked Jun 1 at 1:26
FreedoFreedo
1065
asked Jun 1 at 1:26
FreedoFreedo
1065
1065
Because port 443 is the default port for https. That doesn't matter though. It is not causing you any problem.
– Michael Hampton♦
Jun 1 at 1:29
What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail
– Freedo
Jun 1 at 1:30
@MichaelHampton What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail. From what I know is not possible to have a valid certificate for a IP, so how do you think ip:443 would pass a handshake?
– Freedo
Jun 1 at 1:39
It's not trying to make an HTTPS connection by IP address, so that's irrelevant. You specified a hostname. Unless of course the configuration you posted is not what you are actually using.
– Michael Hampton♦
Jun 1 at 2:43
@MichaelHampton so why it's giving that error?
– Freedo
Jun 1 at 3:21
|
show 6 more comments
Because port 443 is the default port for https. That doesn't matter though. It is not causing you any problem.
– Michael Hampton♦
Jun 1 at 1:29
What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail
– Freedo
Jun 1 at 1:30
@MichaelHampton What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail. From what I know is not possible to have a valid certificate for a IP, so how do you think ip:443 would pass a handshake?
– Freedo
Jun 1 at 1:39
It's not trying to make an HTTPS connection by IP address, so that's irrelevant. You specified a hostname. Unless of course the configuration you posted is not what you are actually using.
– Michael Hampton♦
Jun 1 at 2:43
@MichaelHampton so why it's giving that error?
– Freedo
Jun 1 at 3:21
Because port 443 is the default port for https. That doesn't matter though. It is not causing you any problem.
– Michael Hampton♦
Jun 1 at 1:29
Because port 443 is the default port for https. That doesn't matter though. It is not causing you any problem.
– Michael Hampton♦
Jun 1 at 1:29
What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail
– Freedo
Jun 1 at 1:30
What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail
– Freedo
Jun 1 at 1:30
@MichaelHampton What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail. From what I know is not possible to have a valid certificate for a IP, so how do you think ip:443 would pass a handshake?
– Freedo
Jun 1 at 1:39
@MichaelHampton What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail. From what I know is not possible to have a valid certificate for a IP, so how do you think ip:443 would pass a handshake?
– Freedo
Jun 1 at 1:39
It's not trying to make an HTTPS connection by IP address, so that's irrelevant. You specified a hostname. Unless of course the configuration you posted is not what you are actually using.
– Michael Hampton♦
Jun 1 at 2:43
It's not trying to make an HTTPS connection by IP address, so that's irrelevant. You specified a hostname. Unless of course the configuration you posted is not what you are actually using.
– Michael Hampton♦
Jun 1 at 2:43
@MichaelHampton so why it's giving that error?
– Freedo
Jun 1 at 3:21
@MichaelHampton so why it's giving that error?
– Freedo
Jun 1 at 3:21
|
show 6 more comments
1 Answer
1
active
oldest
votes
When connecting to a backend/upstream using https, Nginx defaults to using client certificate authentication: it expects you to give it a certificate that has been signed by your upstream certificate (see https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).
As far as I understand this is not what you want; you only want to secure the communication between Nginx and the upstream, not authenticate/authorize it.
I had the same issue a while ago; if I remember correctly, adding proxy_ssl_verify off; next to the proxy_pass ... directive fixed it.
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969733%2fnginx-trying-to-connect-to-upstream-with-ip-and-port-443%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
When connecting to a backend/upstream using https, Nginx defaults to using client certificate authentication: it expects you to give it a certificate that has been signed by your upstream certificate (see https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).
As far as I understand this is not what you want; you only want to secure the communication between Nginx and the upstream, not authenticate/authorize it.
I had the same issue a while ago; if I remember correctly, adding proxy_ssl_verify off; next to the proxy_pass ... directive fixed it.
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
add a comment |
When connecting to a backend/upstream using https, Nginx defaults to using client certificate authentication: it expects you to give it a certificate that has been signed by your upstream certificate (see https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).
As far as I understand this is not what you want; you only want to secure the communication between Nginx and the upstream, not authenticate/authorize it.
I had the same issue a while ago; if I remember correctly, adding proxy_ssl_verify off; next to the proxy_pass ... directive fixed it.
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
add a comment |
When connecting to a backend/upstream using https, Nginx defaults to using client certificate authentication: it expects you to give it a certificate that has been signed by your upstream certificate (see https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).
As far as I understand this is not what you want; you only want to secure the communication between Nginx and the upstream, not authenticate/authorize it.
I had the same issue a while ago; if I remember correctly, adding proxy_ssl_verify off; next to the proxy_pass ... directive fixed it.
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
When connecting to a backend/upstream using https, Nginx defaults to using client certificate authentication: it expects you to give it a certificate that has been signed by your upstream certificate (see https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).
As far as I understand this is not what you want; you only want to secure the communication between Nginx and the upstream, not authenticate/authorize it.
I had the same issue a while ago; if I remember correctly, adding proxy_ssl_verify off; next to the proxy_pass ... directive fixed it.
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
answered Jun 1 at 2:18
mbarthelemymbarthelemy
32814
32814
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
add a comment |
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
I really just want to proxy domain1 to domain2
– Freedo
Jun 1 at 2:35
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969733%2fnginx-trying-to-connect-to-upstream-with-ip-and-port-443%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Because port 443 is the default port for https. That doesn't matter though. It is not causing you any problem.
– Michael Hampton♦
Jun 1 at 1:29
What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail
– Freedo
Jun 1 at 1:30
@MichaelHampton What do you mean is not causing any problem? I assume that whatever was trying to fetch that .js script will fail. From what I know is not possible to have a valid certificate for a IP, so how do you think ip:443 would pass a handshake?
– Freedo
Jun 1 at 1:39
It's not trying to make an HTTPS connection by IP address, so that's irrelevant. You specified a hostname. Unless of course the configuration you posted is not what you are actually using.
– Michael Hampton♦
Jun 1 at 2:43
@MichaelHampton so why it's giving that error?
– Freedo
Jun 1 at 3:21