NGINX http proxy_pass over SSL throws error 502

I'm trying to set up SSL on my nginx server, it works on the plain site wich is just the nginx welcome default page, but when I try any of the configured proxy_pass locations I get a cloudflare 526 Invalid SSL certificate error wich rapidly flicks to a 502 bad gateway. The certificate I'm using is self signed and cloudflare SSL is set to full (not strict).

This is the error I get on my logs:

2017/11/28 22:59:10 [error] 11457#11457: *2 upstream prematurely closed connection while reading response header from upstream, client:  141.101.104.32, server: web1.olympiccode.net, request: "GET /r/ HTTP/1.1", upstream: "http://127.0.0.1:2000/r/", host: "web1.olympiccode.net", referrer: "https://web1.olympiccode.net/r"

This is my config:

user www-data;
worker_processes 1;
pid /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    send_timeout 1800;
    sendfile        on;
    keepalive_timeout  6500;

    ssl_certificate      server.crt;
    ssl_certificate_key  server.key;
    ssl_session_timeout  5m;
    ssl_protocols        SSLv2 SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;


server {
    listen       80;
    server_name  web1.olympiccode.net;
    return 200 "hi";
}
# HTTPS server

server {
    listen       443 ssl;
    server_name  web1.olympiccode.net;
    root /usr/share/nginx/html;
    ssl on;
    location / {
     try_files $uri $uri/ =404;
    }
    location /r/ {
      auth_basic "RethinkDB - Web Panel";
      auth_basic_user_file /etc/nginx/.rethinkdb.pass;
      proxy_pass          http://localhost:2000;
      proxy_set_header    Host             $host;
      proxy_set_header    X-Real-IP        $remote_addr;
      proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header    X-Client-Verify  SUCCESS;
      proxy_set_header    X-Client-DN      $ssl_client_s_dn;
      proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
      proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
      proxy_read_timeout 1800;
      proxy_connect_timeout 1800;
    }
    location /status/ {
      proxy_pass          http://localhost:19999;
      proxy_set_header    Host             $host;
      proxy_set_header    X-Real-IP        $remote_addr;
      proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header    X-Client-Verify  SUCCESS;
      proxy_set_header    X-Client-DN      $ssl_client_s_dn;
      proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
      proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
      proxy_read_timeout 1800;
      proxy_connect_timeout 1800;
    }
}
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Best Answer

Turns out the error was caused by a cloudflare misconfiguration in the SSL settings.

I have two different setups, a normal web hosting that I use for my website and a VPS wich I use for databases and other things, due to that and the web host having SSL certificates I had cloudflare SSL set to "Full (Strict)" and a page rule setting "web1.olympiccode.net" to only "Full", however, the cloudflare page rules work on URLs and not hosts, so I had to change it to "web1.olympiccode.net/*" after that it worked fine.

Best Answer

Related Solutions

NGINX – Proxy HTTPS Requests to an HTTP Backend

Nginx proxy pass works for https but not http

Related Topic