Some pages return "502 Bad Gateway" error

SoftTimur asked:

I just realized that certain links of my website lead to "502 Bad Gateway" error. For example, https://v2a.10studio.tech/10studio/auth/google, https://v2a.10studio.tech/auth/google, https://v2a.10studio.tech/10studio/auth/microsoft, https://v2a.10studio.tech/auth/microsoft. I’m pretty sure that those links worked several weeks ago, I don’t know what happened.

The website https://v2a.10studio.tech/ is still working. https://v2a.10studio.tech/#/sign?next=/ contains the buttons clicking on which lead to the broken links.

Here is docker-compose.yml:

version: "3"
services:
  frontend:
    restart: unless-stopped
    image: staticfloat/nginx-certbot
    ports:
      - 80:80/tcp
      - 443:443/tcp
    environment:
      CERTBOT_EMAIL: [email protected]
    volumes:
      - ./conf.d:/etc/nginx/user.conf.d:ro
      - letsencrypt:/etc/letsencrypt
  10studio:
    image: bitnami/nginx:1.16
    restart: always
    volumes: 
      - ./build:/app
      - ./default.conf:/opt/bitnami/nginx/conf/server_blocks/default.conf:ro
      - ./configs/config.prod.js:/app/lib/config.js
    depends_on: 
    - frontend

volumes:
  letsencrypt:

networks:
  default:
    external:
      name: 10studio

And conf.d/v2.conf:

gzip on;
gzip_proxied any;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/rss+xml text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/jpeg image/png image/svg+xml image/x-icon;

upstream funfun {
   server www.funfun.io:443;
}


server {
    listen              443 ssl;
    ssl_certificate     /etc/letsencrypt/live/v2a.10studio.tech/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/v2a.10studio.tech/privkey.pem;
    server_name v2a.10studio.tech;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    add_header X-Frame-Options "";
    
    
    location ~ /socialLoginSuccess {                                                                                            
        rewrite ^ '/#/socialLoginSuccess' redirect;
     }

    location ~ /auth/(.*) {                                                                                            
        proxy_pass  https://funfun/10studio/auth/$1?$query_string;
        proxy_set_header Host v2a.10studio.tech;
     }

    location / {
        proxy_set_header    Host                $host;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Accept-Encoding     "";
        proxy_set_header    Proxy               "";
        proxy_pass          http://10studio:8080/;

        # These three lines added as per https://github.com/socketio/socket.io/issues/1942 to remove socketio error
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";
    }
}

Could anyone help?

PS: I changed some setting (especially SSL certificates) for funfun.io in CloudFlare several weeks ago, i don’t if it is related. I don’t know if this Proxy status (DNS only or Proxied) has an impact.

enter image description here

Edit 1: here are some docker logs:

2020-08-18T20:19:15.667934708Z 2020/08/18 20:19:15 [error] 42#42: *310 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.153.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.667995550Z 2020/08/18 20:19:15 [warn] 42#42: *310 upstream server temporarily disabled while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.153.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.738088121Z 2020/08/18 20:19:15 [error] 42#42: *310 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.152.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.738135701Z 2020/08/18 20:19:15 [warn] 42#42: *310 upstream server temporarily disabled while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.152.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.803843403Z 2020/08/18 20:19:15 [error] 42#42: *310 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://172.67.193.92:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.803890220Z 2020/08/18 20:19:15 [warn] 42#42: *310 upstream server temporarily disabled while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://172.67.193.92:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.803908241Z 176.144.215.193 - - [18/Aug/2020:20:19:15 +0000] "GET /auth/github HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
2020-08-18T20:19:21.284333260Z 2020/08/18 20:19:21 [error] 42#42: *310 no live upstreams while connecting to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /10studio/auth/github HTTP/1.1", upstream: "https://funfun/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:21.285121395Z 176.144.215.193 - - [18/Aug/2020:20:19:21 +0000] "GET /10studio/auth/github HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"

My answer:


The error SSL alert number 40 means you tried to connect to an HTTPS site which requires SNI but did not send a SNI hostname.

You are trying to proxy_pass requests that start with /auth/ to an upstream server named www.funfun.io. But this site is hosted on CloudFlare and thus requires SNI to connect to it with HTTPS. Unfortunately nginx’s SNI support for outgoing upstream HTTPS connections is disabled by default (I can’t imagine why). You need to explicitly enable SNI for outgoing connections to upstream with proxy_ssl_server_name on;. This can be set in the http context so that it applies to every attempted proxy_pass in your entire configuration, or can be placed only in specific locations where it is needed.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.