I am using openresty as reverse proxy. Openresty uses Nginx as backend server. I have configured openresty with luajit so that I can use lua inside my proxy configuration in order to perform some business logic.
I want to forward all requests to the original URL, using the original protocol, i.e. using HTTP/HTTPS.
My proxy.conf is under /usr/local/openresty/nginx/conf/sites-available/proxy.conf and it is as follows:
server {
error_log /usr/local/openresty/nginx/logs/error.log debug;
listen 1080 ssl;
server_name localhost;
ssl_certificate /usr/local/openresty/nginx/ssl/localhost.crt;
ssl_certificate_key /usr/local/openresty/nginx/ssl/localhost.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
location / {
access_by_lua_block { -- some irrelevant business logic
}
#USING google as dns
resolver 8.8.8.8;
proxy_pass $scheme://$host$request_uri;
}
}
my SSL certificates are self-signed, generated using openssl, for my local host.
I am testing it in the following way:
curl -v -I -x https://localhost:1080 https://stackoverflow.com/questions/38371840/ssl-pass-through-in-nginx-reverse-proxy
I am getting this error.
* Trying 127.0.0.1:1080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1080 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Proxy certificate:
* subject: CN=localhost
* start date: Sep 5 09:31:24 2023 GMT
* expire date: Oct 5 09:31:24 2023 GMT
* subjectAltName: host "localhost" matched cert's "localhost"
* issuer: CN=localhost
* SSL certificate verify ok.
* allocate connect buffer!
* Establish HTTP proxy tunnel to stackoverflow.com:443
> CONNECT stackoverflow.com:443 HTTP/1.1
> Host: stackoverflow.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: openresty/1.21.4.2
Server: openresty/1.21.4.2
< Date: Tue, 05 Sep 2023 16:48:44 GMT
Date: Tue, 05 Sep 2023 16:48:44 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 163
Content-Length: 163
< Connection: close
Connection: close
<
* Received HTTP code 400 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 400 from proxy after CONNECT
Is this due to self-signed certificates? or am I missing something?