SSL termination with Nginx as frontend proxy

LXD
1

Hello, I want to use a proxy container in front of other containers. I’ve already successfully configured this using HAProxy, but I would like to do it with nginx.

It worked well without SSL, the request were successfully transmitted. But with SSL, I can’t do it.

Here is my nginx configuration for the proxy :

server
{
   listen 80;
   listen [::]:80;

   server_name sub.domain.tld;

   include conf.d/acme.inc;
   include conf.d/redirect_http.inc;
}

server
{
   listen 443 ssl http2 ;
   listen [::]:443 ssl http2;

   server_name sub.domain.tld;

   ssl on;
   ssl_certificate /etc/ssl/acme/sub.domain.tld/fullchain.pem;
   ssl_certificate_key /etc/ssl/acme/private/sub.domain.tld/privkey.pem;

   ssl_protocols TLSv1.2; # Because stable nginx
   ssl_prefer_server_ciphers on;
   ssl_dhparam /etc/nginx/dhparam.pem;
   ssl_ciphers 'ECDH+CHACHA20:ECDHE+AES:!SHA1';
   ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
   ssl_session_timeout 1h;
   ssl_session_cache shared:SSL:20m;
   ssl_session_tickets off;
   ssl_stapling on;
   ssl_stapling_verify on;

   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
   add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";


   resolver 8.8.8.8 8.8.4.4 valid=300s;
   resolver_timeout 5s;

   location /
   {
      proxy_set_header X-Forwarded-By $server_addr:$server_port;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $host;

      proxy_pass http://containername.lxd/;
   }
}

and here is a very basic configuration on the targeted container (containername) :

server
{
   listen 80;
   listen [::]:80;

   root /www/sub.domain.tld/;

   index index.html;

   server_name sub.domain.tld;

   location /
   {
      try_files $uri $uri/ =404;
   }

   location ~ /\.ht
   {
      deny all;
   }
}

My iptables (and ip6tables) rules shouldn’t be an issue because they worked well with HAProxy, and I use the same container, with the same IPs.

If I try to curl from a distant host I’ve got this error :curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to sub.domain.tld:443

Any idea where the problem might be?

2

I suppose the issue is with the cipher list which looks too small.
Have a look at https://github.com/curl/curl/issues/1520
You need to debug this particular error OpenSSL SSL_connect: SSL_ERROR_SYSCALL, i.e. google it hard.

3

I’ve looked for OpenSSL SSL_connect: SSL_ERROR_SYSCALL and I haven’t found something relevant.

The problem isn’t with the cipher list (which I use frequently), I’ve tried with a more permissive one from here and I have the same issue.

If anybody could share his Nginx configuration as a frontend-proxy I could use it as a comparison.

4

I have used HAProxy for this task and I could help on that.

Howevee, I would like to try out with nginx as well. Which guide are you following so that I try out as well?

2 Likes
5

Turns out it wasn’t related to theses server block. I had forgotten a server block for another domain with instructions that made all the connections fail on port 443.

I didn’t followed a guide, there is a lack of tutorial for it. I’ve just used your guide for HAProxy with SSL and adapted it to match my needs (nginx and acme).

I may write a guide about it, tell me if you would be interested ! If you’re not, know that following the same logic you had for HAProxy, using Nginx official documentation is sufficient.

Thanks for the help !

6

It would be great if you could write the guide on this, as a guide for TLS Termination with nginx for LXD does not exist.

In addition, LXD will get to support the PROXY protocol in LXD 3.3 (to be made available today), which means that the process of TLS Termination with nginx for LXD should be well-understood before anyone trying to add on top of that the PROXY protocol.