I have nginx reverse-proxy to Unifi's java https server and started
running into problems after an update to base a little while ago,
I finally got round to bisecting to this commit:
---------------------
PatchSet 3569
Date: 2020/07/07 19:24:23
Author: jsing
Branch: HEAD
Tag: (none)
Log:
Enable TLSv1.3 for the generic TLS_method().
This can be done now that we have both TLSv1.3 client and server.
ok beck@ inoguchi@ tb@
Members:
ssl_locl.h:1.280->1.281
ssl_methods.c:1.12->1.13
---------------------
With that enabled, nginx (as *client*) is unable to connect to the Java
https server, from nginx's log:
2020/09/10 16:08:31 [error] 57039#0: *1 SSL_read() failed (SSL:
error:14FFF438:SSL routines:(UNKNOWN)SSL_internal:tlsv1 alert internal
error:SSL alert number 80) while reading response header from upstream, client:
XXX, server: XXX, request: "GET /manage/account/login?redirect=%2Fmanage
HTTP/2.0", upstream: "XXX", host: "XXX"
Other clients (at least ftp, curl, wget, nc) have no problem connecting
to this server - connects with TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256.
Packages are not available for Unifi so to reproduce both sides you'll
need a ports tree on your system, then
pkg_add nginx mongodb javaPathHelper jdk%1.8
cd /usr/ports/net/unifi/stable
make install
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat << EOF > /etc/nginx/nginx.conf
events {
worker_connections 800;
}
http {
server {
server_name localhost;
listen 80;
location / {
proxy_pass https://127.0.0.1:8443;
proxy_set_header Host $host;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
EOF
rcctl start unifi nginx
startup will take a little while; wait until "ftp -o- -Sdont
https://127.0.0.1:8443/"; (i.e. connect direct to the java server)
returns html, then try fetching via nginx (ftp -o- http://127.0.0.1/)
and observe the 502 Bad gateway.
Any ideas?
