Welcome! Log In Create A New Profile

Advanced

Issue for TLS secured upstream TCP connection

Posted by Lars71dk 
Issue for TLS secured upstream TCP connection
June 12, 2020 05:44AM
I am trying to configure nginx to work as a proxy to a remote server. The connection must be secured by TLSv1.2.

This is my nginx version/config:
# nginx -V
nginx version: nginx/1.13.9
built with OpenSSL 1.0.2p 14 Aug 2018
TLS SNI support enabled
configure arguments: --crossbuild=Linux:arm --with-endian=little --with-int=4 --with-long=4 --with-long-long=8 --with-ptr-size=4 --with-sig-atomic-t=4 --with-size-t=4 --with-off-t=4 --with-time-t=4 --with-sys-nerr=132 --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --pid-path=/run/nginx/nginx.pid --prefix=/usr --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module

Then I test using netcat. Send a message of 12 bytes, and expect 12 bytes to be returned. It looks like the connection is established, tx is ok, but zero bytes are received. Note: The same setup works using stunnel.

Here is the log:
echo -n -e "\x02\x04\x00\x77\x03\x00\x62\x01\x31\x37\x8e\x03" | nc 10.28.151.113 8000

log:
2020/06/04 13:16:42 [info] 7254#0: *23 client 10.28.151.113:50234 connected to 0.0.0.0:8000
2020/06/04 13:16:42 [info] 7254#0: *23 proxy 10.28.151.113:59176 connected to 10.28.151.188:8000
2020/06/04 13:16:42 [info] 7254#0: *23 client disconnected, bytes from/to client:12/0, bytes from/to upstream:0/12

nginx stream conf block:
stream {
upstream nwgt1 {
server 10.28.151.188:8000;
}

server {
listen 8000;
proxy_pass nwgt1;
proxy_ssl on;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /media/appfs/etc/ssl/ca-nwgt.crt;
proxy_ssl_name *.GVR_Local.net;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}

Using tcpdump I can see encrypted traffic between the hosts.

I tried to enable debug log level, but it did not reveal anything...

Any pointers to what I am missing? How to diagnose further?

Thanks!
Lars
Re: Issue for TLS secured upstream TCP connection
June 22, 2020 02:43AM
Fixed by changing
listen 8000;
to
listen 127.0.0.1:8000;
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 72
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready