Join Log in
Score:4
AndreaCostanzo1 avatar Server

NGINX load balancing: upstream ssl name

tr flag
AndreaCostanzo1

I have the following Nginx configuration to balance the load among different nodes. However, when I try to redirect the traffic I obtain 502 Bad gateway.

By reading the error log I found out that the problem is related to the fact that my Nginx load balancer is trying to verify the validity of the X509 certificate NOT for the various nodes (backend1.example.com,backend2.example.com), but for the name of the upstream backend.example.com (without the number), leading to the error shown below.

How can I tell nginx to use the hostname of the forwarded node, instead of the one of the upstream?

ERROR LOG:

upstream SSL certificate does not match "backend.example.com" while SSL handshaking to upstream...

CONFIGURATION:

upstream backend.example.com {
   least_conn;
   server backend1.example.com:443
   server backend2.example.com:443
}
server {

        listen [::]:443 ssl ipv6only=on;
        listen 443 ssl;
        server_name example.com;

        location / {
                proxy_pass https://backend.example.com;

                proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
                proxy_ssl_session_reuse on;
                proxy_ssl_verify       on;
                proxy_ssl_verify_depth 2;
                proxy_set_header Host $host;
        }
    ssl_certificate /etc/letsencrypt/.../fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/.../privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
767
0 + 0
Score:3
avatar Server
in flag
Ignat.Egorov

ngx_http_proxy_module directive you need is proxy_ssl_name

You can fix that issue with several ways:

  1. Try set it proxy_ssl_name $proxy_host;

  2. Use wildcard ssl certificate.

  3. If it in internal network use http connection for upstream without excess double encryption and allow http connect on upstream side only from your reverse proxy server

  4. Place the same upstream certificate on each node and set it for one expected name proxy_ssl_name backend.example.com;

0 + 0
AndreaCostanzo1 avatar
tr flag
AndreaCostanzo1
1. doesn't work since it sets `backend.example.com` 3. the network is not private, this is the main reason for encryption between lb and back-end nodes. Can you explain how to deal with wildcard certificates? (I have to generate one and then copying it on every back-end node. Can it be done via certbot directly?)
0
Reply
in flag
Ignat.Egorov
try rename backend upstream from FQDN name to just "backend" for example `proxy_ssl_name $proxy_host; proxy_pass backend; proxy_ssl on; proxy_ssl_verify on;`
0
Reply
in flag
Ignat.Egorov
yes you can issue wild card certificate directly with certbot but with additional validation, for example with cloud flare dns if you use it, try this [article](https://idolsgate.com/blog/wildcard-SSL-certificate-with-letsencrypt-on-Centos-7/) it works for me
0
Reply
AndreaCostanzo1 avatar
tr flag
AndreaCostanzo1
renaming isn't working. I think the only available solution remains using a shared SSL certificate
0
Reply
Score:1
avatar Server
jp flag
AlexD

According to nginx developers you need to share the same TLS certificate between all backend servers. See the following bug report https://trac.nginx.org/nginx/ticket/1307#comment:5

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.