You are not logged in.

#1 2021-06-24 16:25:50

ethin
Member
Registered: 2021-03-12
Posts: 12

Cannot utilize reverse proxy setup with nginx: SSL alert number 70

So, I'm trying to set up a matrix server using Nginx as the master server for everything. I could've used (another) nginx instance in a docker/LXC container, but that seemed like a waist of server resources when a single nginx instance is capable of doing everything. So, I went to nginxconfig.io to get myself up and running with a safe and secure configuration. For matrix, I used this Ansible playbook to get things going. I could've, of course, just set everything up by hand, but considering that this offered to set everything up in a docker container, it seemed a lot simpler to do.
Anyway, I disabled the nginx proxy and told it to use the modern mozilla configuration, exactly how I told nginxconfig.io to (also) use the same configuration. However, for some reason the nginx proxy is breaking whenever it tries to send an HTTPS request to the subdomains that it controls. They all run on the same machine, and I can access the subdomains perfectly fine. That is, accessing https://matrix.the-gdn.net/.well-known/matrix/server works perfectly but accessing https://the-gdn.net/.well-known/matrix/server breaks. The error is:

SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream

This makes no sense, since both servers are using an almost identical configuration, including the same TLS version. My nginx configuration can be found here, and the relevant matrix domain configuration looks like this:

# /matrix/nginx-proxy/conf.d/matrix-domain.conf



server {
	listen 80;
	server_name matrix.the-gdn.net;

	server_tokens off;
	root /dev/null;

		location /.well-known/acme-challenge {
				proxy_pass http://127.0.0.1:2402;
		}


		location / {
			return 301 https://$http_host$request_uri;
		}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name matrix.the-gdn.net;

	server_tokens off;
	root /dev/null;

	ssl_certificate /matrix/ssl/config/live/matrix.the-gdn.net/fullchain.pem;
	ssl_certificate_key /matrix/ssl/config/live/matrix.the-gdn.net/privkey.pem;

	ssl_protocols TLSv1.3;
	ssl_prefer_server_ciphers off;

		ssl_stapling on;
		ssl_stapling_verify on;
		ssl_trusted_certificate /matrix/ssl/config/live/matrix.the-gdn.net/chain.pem;
	
		ssl_session_tickets off;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_timeout 1d;	

		gzip on;
	gzip_types text/plain application/json;

		add_header Permissions-Policy interest-cohort=() always;
	
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	
	add_header X-XSS-Protection "1; mode=block";

	location /.well-known/matrix {
		root /matrix/static-files;
		expires 4h;
		default_type application/json;
		add_header Access-Control-Allow-Origin *;
	}



	location ^~ /_matrix/identity {
			proxy_pass http://127.0.0.1:8090;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	location ^~ /_matrix/client/r0/user_directory/search {
			proxy_pass http://127.0.0.1:8090;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
	}



	location ~* ^(/_matrix|/_synapse/client) {
			proxy_pass http://127.0.0.1:12080;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;

		client_body_buffer_size 25M;
		client_max_body_size 50M;
		proxy_max_temp_file_size 0;
	}

	location ~* ^/$ {
			return 302 $scheme://element.the-gdn.net$request_uri;
	}

}

server {
		listen 8448 ssl http2;
		listen [::]:8448 ssl http2;

	server_name matrix.the-gdn.net;
	server_tokens off;

	root /dev/null;

	gzip on;
	gzip_types text/plain application/json;

		ssl_certificate /matrix/ssl/config/live/matrix.the-gdn.net/fullchain.pem;
		ssl_certificate_key /matrix/ssl/config/live/matrix.the-gdn.net/privkey.pem;

		ssl_protocols TLSv1.3;
		ssl_prefer_server_ciphers off;

			ssl_stapling on;
			ssl_stapling_verify on;
			ssl_trusted_certificate /matrix/ssl/config/live/matrix.the-gdn.net/chain.pem;
		
			ssl_session_tickets off;
		ssl_session_cache shared:MozSSL:10m;
		ssl_session_timeout 1d;

	location / {
			proxy_pass http://127.0.0.1:12088;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;

		client_body_buffer_size 25M;
		client_max_body_size 150M;
		proxy_max_temp_file_size 0;
	}
}

If I need to provide the other configuration files, I can do that too. But I'm just extremely confused on why this is happening. I've used nginxconfig.io to proxy things in the past and its worked perfectly, so I'm unsure as to why this is happening with this configuration.

Offline

Board footer

Powered by FluxBB