On Thu, Sep 22, 2016 at 05:54:35AM -0400, adrhc wrote:

Hi there,

> What is the thing writing to nginx? (stunnel, I think)
> stunnel according to the setup:

I strongly suspect that your stunnel is not doing what you want it to do.

If you "tcpdump" the traffic out of stunnel; or if you replace nginx
with a "netcat" listener so you can see the bytes that are transferred;
I think you will see something other than plain http coming out of it.

> How is it configured?

> [tls to any http]
> sni = tls:*
> # using nginx proxy_protocol (is http though using 443!):
> connect = 127.0.0.1:443
> protocol = proxy

https://www.stunnel.org/static/stunnel.html, in the "sni=" section,
says """The connect option of the slave service is ignored when the
protocol option is specified, as protocol connects to the remote host
before TLS handshake."""

I suspect that that is related to what stunnel is doing. Have you any
way of verifying that stunnel can do what you want, and does do what
you want with this configuration?

> What version of proxy_protocol is stunnel writing?
> it's the one from nginx 1.11.3 ...

nginx is listening (I think) for proxy-protocol version 1. If stunnel
is writing version 2, things will go wrong.

> If it is trying to speak something other than http wrapped in tls,
> it is unlikely that nginx will be able to process the requests.
> I gues it tries not because it's working fine with
> https://adrhc.go.ro/transmission/ but when stunnel is not involved e.g.:
> Transmission remote GUI:443 -> sshttp:443 -> nginx:127.0.0.1:1443 (with ssl,
> without listen ... proxy_protocol, port_in_redirect off)

Ok, so from that you can read that nginx access log to see what the
first request that "transmission" makes is.

Then you can see whether that gets to your no-ssl nginx on port 443. I
think you have shown that it does not.

If you are interested in testing, it might be worth seeing what happens
if you put stunnel in front of nginx-ssl-proxy-protocol, or in front of
nginx-ssl, or in front of nginx without proxy-protocol. Depending on the
bytes that make it to nginx and how hey are interpreted, that might point
at whether the problem is with stunnel writing, or with nginx reading,
in the original case that you care about.

Good luck with it,

        f
-- 
Francis Daly        fran...@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to