<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello,<br/>
I am working in a proxmox environment, setting up a ngnix reverse proxy (192.168.178.103) forwarding requests via https to a nginx backend server (192.168.178.105). On the backend server shellinabox is installed. Request from the internet are secured via a Letsentcrypt certificate. For the encryption to the backend server I use a self-signed certificate.<br/>
<br/>
When I want to open the next-shell.example.com I get an 502 Bad Gateway error<br/>
On the reverse proxy are the following configs<br/>
<br/>
HttpGateway<br/>
<br/>
server {<br/>
listen 80 default_server;<br/>
listen [::]:80 default_server;<br/>
server_name nextcloud.example.com shellinabox.example.com netdata.example.com px.example.com proxy-shell.example.com next-shell.example.com 192.168.178.103;<br/>
<br/>
root /var/www;<br/>
<br/>
location ^~ /.well-known/acme-challenge {<br/>
default_type text/plain;<br/>
root /var/www/letsencrypt;<br/>
}<br/>
<br/>
location / {<br/>
return 301 https://$host$request_uri;<br/>
}<br/>
}<br/>
-------<br/>
next-shell.example.com<br/>
<br/>
server {<br/>
listen 443 ssl<br/>
server_name next-shell.example.com;<br/>
<br/>
# SSL configuration<br/>
<br/>
# RSA certificates<br/>
ssl_certificate /etc/letsencrypt/next-shell.example.com/rsa/fullchain.pem;<br/>
ssl_certificate_key /etc/letsencrypt/next-shell.example.com/rsa/key.pem;<br/>
# ECC certificates<br/>
ssl_certificate /etc/letsencrypt/next-shell.example.com/ecc/fullchain.pem;<br/>
ssl_certificate_key /etc/letsencrypt/next-shell.example.com/ecc/key.pem;<br/>
<br/>
<br/>
#<br/>
# SSL Configuration<br/>
#<br/>
<br/>
# Not using TLSv1 will break:<br/>
# Android <= 4.4.40 IE <= 10 IE mobile <=10<br/>
# Removing TLSv1.1 breaks nothing else!<br/>
ssl_protocols TLSv1.2 TLSv1.3;<br/>
<br/>
# SSL ciphers: RSA + ECDSA<br/>
# Two certificate types (ECDSA, RSA) are needed.<br/>
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384';<br/>
<br/>
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits<br/>
ssl_dhparam /etc/nginx/dhparams/dhparams.pem;<br/>
<br/>
# Use multiple curves.<br/>
ssl_ecdh_curve secp521r1:secp384r1;<br/>
<br/>
# Server should determine the ciphers, not the client<br/>
ssl_prefer_server_ciphers on;<br/>
<br/>
# SSL session handling<br/>
ssl_session_timeout 1d;<br/>
ssl_session_cache shared:SSL:50m;<br/>
ssl_session_tickets off;<br/>
<br/>
# DNS resolver<br/>
resolver 192.168.178.1;<br/>
<br/>
<br/>
<br/>
#<br/>
# Header configuration<br/>
#<br/>
<br/>
# HSTS (ngx_http_headers_module is required) In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root<br/>
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;<br/>
add_header X-Content-Type-Options "nosniff" always;<br/>
add_header X-XSS-Protection "1; mode=block" always;<br/>
add_header X-Robots-Tag none always;<br/>
add_header X-Download-Options noopen always;<br/>
add_header X-Permitted-Cross-Domain-Policies none always;<br/>
add_header Referrer-Policy no-referrer always;<br/>
add_header X-Frame-Options "SAMEORIGIN" always;<br/>
<br/>
# Disable FLoC<br/>
add_header Permissions-Policy "interest-cohort=()";<br/>
<br/>
# Remove X-Powered-By, which is an information leak<br/>
fastcgi_hide_header X-Powered-By;<br/>
<br/>
<br/>
location / {<br/>
proxy_set_header Host $host;<br/>
proxy_set_header X-Real-IP $remote_addr;<br/>
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br/>
<br/>
proxy_ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem;<br/>
proxy_ssl_certificate_key /etc/selfcerts/stern-example-key.pem;<br/>
proxy_ssl_verify off;<br/>
proxy_pass <a href="https://192.168.178.105:4200" target="_blank">https://192.168.178.105:4200</a>;<br/>
}<br/>
}<br/>
<br/>
On the backend server there is the following config<br/>
<br/>
next-shell.example.com<br/>
<br/>
server {<br/>
listen 192.168.178.105:4200;<br/>
server_name next-shell.example.com;<br/>
<br/>
#<br/>
# Header configuration<br/>
#<br/>
<br/>
# HSTS (ngx_http_headers_module is required) In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root<br/>
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;<br/>
add_header X-Content-Type-Options "nosniff" always;<br/>
add_header X-XSS-Protection "1; mode=block" always;<br/>
add_header X-Robots-Tag none always;<br/>
add_header X-Download-Options noopen always;<br/>
add_header X-Permitted-Cross-Domain-Policies none always;<br/>
add_header Referrer-Policy no-referrer always;<br/>
add_header X-Frame-Options "SAMEORIGIN" always;<br/>
<br/>
# Disable FLoC<br/>
add_header Permissions-Policy "interest-cohort=()";<br/>
<br/>
# Remove X-Powered-By, which is an information leak<br/>
fastcgi_hide_header X-Powered-By;<br/>
<br/>
ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem;<br/>
ssl_certificate_key /etc/selfcerts/stern-example-key.pem;<br/>
<br/>
<br/>
location / {<br/>
rewrite ^/shellinabox/(.*) /$1 break;<br/>
proxy_pass <a href="http://127.0.0.1:4200" target="_blank">http://127.0.0.1:4200</a>;<br/>
proxy_set_header Host $host;<br/>
proxy_set_header X-Real-IP $remote_addr;<br/>
proxy_read_timeout 350;<br/>
proxy_connect_timeout 350;<br/>
<br/>
}<br/>
}<br/>
<br/>
When I try to open the page there is this error in the nginx error log<br/>
{{{<br/>
[error] 1103#1103: *1 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version<br/>
number) while SSL handshaking to upstream, client: 95.116.52.151, server: next-shell.example.com, request: "GET /f<br/>
avicon.ico HTTP/2.0", upstream: "<a href="https://192.168.178.105:4200/favicon.ico" target="_blank">https://192.168.178.105:4200/favicon.ico</a>", host: "next-shell.example.com"<br/>
}}}</div>
<div> </div>
<div>Any idea, what I can do here?</div>
<div> </div>
<div>Thanks in advance</div>
<div>Greetings</div>
<div>Hans</div></div></body></html>