SSL protocl errors only when Reverse-proxying Unit (Wordpress) app behind Nginx?

Sergey Kandaurov pluknet at nginx.com
Wed Jun 9 12:31:34 UTC 2021


> On 9 Jun 2021, at 14:06, bill noneofyourbusiness <bill14653 at hotmail.com> wrote:
> 
> I'm working on Fronting Wordpress installed as a Unit app with Nginx.
> 
> I run
> 
> 	nginx -v
> 		nginx version: nginx/1.21.0
> 	unitd --version
> 		unit version: 1.24.0
> 	php -v
> 		PHP 8.0.7 (cli) (built: Jun  1 2021 18:43:05) ( NTS gcc x86_64 )
> 		Copyright (c) The PHP Group
> 		Zend Engine v4.0.7, Copyright (c) Zend Technologies
> 			with Zend OPcache v8.0.7, Copyright (c), by Zend Technologies
> 			with Xdebug v3.0.4, Copyright (c) 2002-2021, by Derick Rethans
> 
> I'm following instructions from
> 
> 	Unit:HOWTO:NGINX Integration:Fronting Unit with NGINX
> 	https://unit.nginx.org/howto/integration/#fronting-unit-with-nginx
> 
> 	Unit:HOWTO:Applications:Wordpress
> 	https://unit.nginx.org/howto/wordpress/#wordpress
> 
> I installed Wordpress on Unit.
> 
> I can access the site and login directly, with valid SSL/cert, at
> 
> 	https://wp.loc:60000
> 
> Host is
> 
> 	host wp.loc
> 		wp.loc has address 127.0.0.1
> 
> The Unit config for that is
> 
> {
> 	"certificates": {
[snip]
> 	},
> 
> 	"config": {
> 		"listeners": {
> 			"127.0.0.1:60000": {
> 				"pass": "routes",
> 				"tls": {
> 					"certificate": "bundle",
> 					"conf_commands": {
> 						"minprotocol": "TLSv1.3",
> 						"ciphersuites": "TLS_CHACHA20_POLY1305_SHA256",
> 					}
> 				}
> 			}
> 		},
[snip]
> 	}
> }
> 
> The frontend Nginx config includes
> 
> 	upstream WPUNITproxy  { server wp.loc:60000; }
> 
> 	server {
[snip]
> 		location /blog/ {
> 			proxy_pass https://WPUNITproxy/;
> 			proxy_set_header Host  $host;
> 			proxy_set_header HTTPS  on;
> 			proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
> 			proxy_set_header X-Forwarded-Host  $server_name;
> 			proxy_set_header X-Forwarded-Port  $server_port;
> 			proxy_set_header X-Forwarded-Proto  https;
> 			proxy_set_header X-Forwarded-Protocol https;
> 			proxy_set_header X-Forwarded-Server  $host;
> 			proxy_set_header X-Real-IP  $remote_addr;
> 			proxy_set_header X-SSL-Subject  $ssl_client_s_dn;
> 			proxy_set_header X-SSL-Issuer  $ssl_client_i_dn;
> 
> 			proxy_ssl_name wp.loc;
> 			proxy_ssl_verify off;
> 			proxy_ssl_verify_depth 2;
> 			proxy_ssl_trusted_certificate "/home/wwwrun/ssl/chain.crt";
> 			proxy_ssl_certificate  "/home/wwwrun/ssl/wp.loc.client.crt";
> 			proxy_ssl_certificate_key  "/home/wwwrun/ssl/wp.loc.client.key";
> 
> 		}
> 
> Host is
> 
> 	host front.loc
> 		front.loc has address 10.15.12.11
> 
> When I go to the FRONT end proxy,
> 
> 	https://front.loc/blog/
> 
> I get SSL errors
> 
> 	==> /var/log/wwwrun/unit.log <==
> 	2021/06/09 06:20:00 [alert] 43183#44092 *248 SSL_do_handshake(96) failed (258: unsupported protocol) (OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol)
> 
> 	==> /var/log/wwwrun/nginx.error.log <==
> 	2021/06/09 06:20:00 [error] 63200#63200: *4 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 10.15.12.11, server: front.loc, request: "GET /blog/ HTTP/2.0", upstream: "https://127.0.0.1:60000/", host: "front.loc"
> 
> So I can access the backend using SSL directly, but not thorugh the proxy.
> 
> What's the problem with my SSL config for the front end proxy?

You need to reconcile allowed TLS protocol versions between nginx and unit.
In the unit configuration provided above you have:

"minprotocol": "TLSv1.3"

nginx doesn't enable TLSv1.3 by default (yet),
it needs to be enabled explicitly, e.g.:

proxy_ssl_protocols TLSv1.3;

-- 
Sergey Kandaurov



More information about the unit mailing list