Reverse Proxy 502 Bad Gateway

Maxim Dounin mdounin at mdounin.ru
Fri Mar 3 20:45:31 UTC 2023 

Hello!

On Fri, Mar 03, 2023 at 04:33:25PM +0100, Hans Müller wrote:

>    Hello,
>    I am working in a proxmox environment, setting up a ngnix reverse proxy
>    (192.168.178.103) forwarding requests via https to a nginx backend
>    server (192.168.178.105). On the backend server shellinabox is
>    installed. Request from the internet are secured via a Letsentcrypt
>    certificate. For the encryption to the backend server I use a
>    self-signed certificate.
>    When I want to open the next-shell.example.com I get an 502 Bad Gateway
>    error
>    On the reverse proxy are the following configs
>    HttpGateway

[...]

>    location / {
>    proxy_set_header Host $host;
>    proxy_set_header X-Real-IP $remote_addr;
>    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>    proxy_ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem;
>    proxy_ssl_certificate_key /etc/selfcerts/stern-example-key.pem;
>    proxy_ssl_verify off;
>    proxy_pass [1]https://192.168.178.105:4200;

Note you are proxying using the "https" protocol.

[...]

>    On the backend server there is the following config
>    next-shell.example.com
>    server {
>    listen 192.168.178.105:4200;
>    server_name next-shell.example.com;

But the backend is not configured to use SSL on the socket (or at 
least this is not something visible from the configuration 
provided).  Note no "ssl" parameter on the listen directive.

[...]

>    When I try to open the page there is this error in the nginx error log
>    {{{
>    [error] 1103#1103: *1 SSL_do_handshake() failed (SSL:
>    error:0A00010B:SSL routines::wrong version
>    number) while SSL handshaking to upstream, client: 95.116.52.151,
>    server: next-shell.example.com, request: "GET /f
>    avicon.ico HTTP/2.0", upstream:
>    "[3]https://192.168.178.105:4200/favicon.ico", host:
>    "next-shell.example.com"
>    }}}
> 
>    Any idea, what I can do here?

The error is somewhat expected: you are trying to connect to 
non-SSL port using SSL, and this is expected to fail.

You should either configure SSL on the backend, or change proxying 
to use the "http" protocol instead.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list