Background
I have an API running on port 8000 locally. To be able to access this via hostname, I did a bit of setup in AWS
- stream.mydomain.com -> S3 (website redirect to webstream.mydomain.com:8000)
- webstream.mydomain.com -> Public IP
Target
This works with HTTP, however in an effort to add SSL, I set my port forwarding to 443, ran nginx on my destination machine proxying it to localhost:8000, modifying AWS config as below
- stream.mydomain.com -> CloudFront endpoint (binding SSL cert, redirect http to https
- CloudFront endpoint -> S3 (website redirect to webstream.mydomain.com without port number and enforcing https)
- webstream.mydomain.com -> Public IP
Problem
Traffic flow worked just as it should, I was able to see the incoming connections in Nginx access logs, however my API running on port 8000 never received the request.
There was nothing in nginx error logs.
Question
Was this even a right setup to begin with?
I know Let's Encrypt or any download-able public certificate is a solution, but I want to know what's wrong with this setup.
Troubleshooting
- Swapped from local IP address to 127.0.0.1
- Ran curl on localhost and local IP address on port 8000 - both work fine
curl -v https://webstream.mydomain.com-* error:0A00010B:SSL routines::wrong version numbernslookup webstream.mydomain.com- resolved to my public IP addressopenssl s_client -connect webstream.mydomain.com:443-408728AAF77F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:sudo tcpdump -i lo -n port 8000- No activity when connected towebstream.mydomain.com
I have this API written in both Python (FastAPI) and Rust (Actix) but neither received the connection
Nginx config
Nginx with SSL termination at the CloudFront level
I setup a redirect in nginx, to get away from the mandatory args ssl_certificate and ssl_certificate_key when using SSL
server {
listen 80;
server_name webstream.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name webstream.mydomain.com;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
OpenSSL Error Message
CONNECTED(00000003)
408728AAF77F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Curl Error
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number