SSL protocl errors only when Reverse-proxying Unit (Wordpress) app behind Nginx?
bill noneofyourbusiness
bill14653 at hotmail.com
Wed Jun 9 11:06:12 UTC 2021
I'm working on Fronting Wordpress installed as a Unit app with Nginx.
I run
nginx -v
nginx version: nginx/1.21.0
unitd --version
unit version: 1.24.0
php -v
PHP 8.0.7 (cli) (built: Jun 1 2021 18:43:05) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.7, Copyright (c) Zend Technologies
with Zend OPcache v8.0.7, Copyright (c), by Zend Technologies
with Xdebug v3.0.4, Copyright (c) 2002-2021, by Derick Rethans
I'm following instructions from
Unit:HOWTO:NGINX Integration:Fronting Unit with NGINX
https://unit.nginx.org/howto/integration/#fronting-unit-with-nginx
Unit:HOWTO:Applications:Wordpress
https://unit.nginx.org/howto/wordpress/#wordpress
I installed Wordpress on Unit.
I can access the site and login directly, with valid SSL/cert, at
https://wp.loc:60000
Host is
host wp.loc
wp.loc has address 127.0.0.1
The Unit config for that is
{
"certificates": {
"bundle": {
"key": "ECDH",
"chain": [
{
"subject": {
"common_name": "wp.loc",
"alt_names": [
"wp.loc",
"www.wp.loc",
"localhost"
],
"country": "US",
"state_or_province": "NY",
"locality": "NYC",
"organization": "loc",
"department": "myCA"
},
"issuer": {
"common_name": "myINT",
"country": "US",
"state_or_province": "NY",
"organization": "loc",
"department": "myCA"
},
"validity": {
"since": "May 1 18:14:22 2021 GMT",
"until": "Aug 2 18:14:22 2021 GMT"
}
},
{
"subject": {
"common_name": "myINT",
"country": "US",
"state_or_province": "NY",
"organization": "loc",
"department": "myCA"
},
"issuer": {
"common_name": "myROOT",
"country": "US",
"state_or_province": "NY",
"locality": "NYC",
"organization": "loc",
"department": "myCA"
},
"validity": {
"since": "Jan 1 03:37:17 2021 GMT",
"until": "Jan 2 03:37:17 2022 GMT"
}
},
{
"subject": {
"common_name": "myROOT",
"country": "US",
"state_or_province": "NY",
"locality": "NYC",
"organization": "loc",
"department": "myCA"
},
"issuer": {
"common_name": "myROOT",
"country": "US",
"state_or_province": "NY",
"locality": "NYC",
"organization": "loc",
"department": "myCA"
},
"validity": {
"since": "Jan 1 03:19:10 2021 GMT",
"until": "Jan 2 03:19:10 2025 GMT"
}
}
]
}
},
"config": {
"listeners": {
"127.0.0.1:60000": {
"pass": "routes",
"tls": {
"certificate": "bundle",
"conf_commands": {
"minprotocol": "TLSv1.3",
"ciphersuites": "TLS_CHACHA20_POLY1305_SHA256",
}
}
}
},
"routes": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/home/wwwrun/wordpress/",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
],
"applications": {
"wordpress": {
"type": "php",
"targets": {
"direct": {
"root": "/home/wwwrun/wordpress/"
},
"index": {
"root": "/home/wwwrun/wordpress/",
"script": "index.php"
}
}
}
},
"access_log": "/var/log/wwwrun/unit.access.log"
}
}
The frontend Nginx config includes
upstream WPUNITproxy { server wp.loc:60000; }
server {
listen 10.15.12.11:443 ssl http2;
server_name front.loc;
...
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:!AES128:!SHA1:!SHA256:!SHA384:!COMPLEMENTOFDEFAULT";
ssl_conf_command Options PrioritizeChaCha;
ssl_conf_command CipherString ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
ssl_verify_client optional;
ssl_verify_depth 2;
ssl_client_certificate "/home/wwwrun/ssl/chain.crt";
ssl_certificate "/home/wwwrun/ssl/front.loc.server.crt";
ssl_certificate_key "/home/wwwrun/ssl/front.loc.server.key";
location /blog/ {
proxy_pass https://WPUNITproxy/;
proxy_set_header Host $host;
proxy_set_header HTTPS on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Protocol https;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_ssl_name wp.loc;
proxy_ssl_verify off;
proxy_ssl_verify_depth 2;
proxy_ssl_trusted_certificate "/home/wwwrun/ssl/chain.crt";
proxy_ssl_certificate "/home/wwwrun/ssl/wp.loc.client.crt";
proxy_ssl_certificate_key "/home/wwwrun/ssl/wp.loc.client.key";
}
Host is
host front.loc
front.loc has address 10.15.12.11
When I go to the FRONT end proxy,
https://front.loc/blog/
I get SSL errors
==> /var/log/wwwrun/unit.log <==
2021/06/09 06:20:00 [alert] 43183#44092 *248 SSL_do_handshake(96) failed (258: unsupported protocol) (OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol)
==> /var/log/wwwrun/nginx.error.log <==
2021/06/09 06:20:00 [error] 63200#63200: *4 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 10.15.12.11, server: front.loc, request: "GET /blog/ HTTP/2.0", upstream: "https://127.0.0.1:60000/", host: "front.loc"
So I can access the backend using SSL directly, but not thorugh the proxy.
What's the problem with my SSL config for the front end proxy?
More information about the unit
mailing list