krakend - nginx reverse proxy with tls - version mismatch

500 views
Skip to first unread message

MP COV

unread,
Aug 12, 2022, 3:14:58 PM8/12/22
to KrakenD Community
Hi,

I have a docker setup with a nginx lb/reverse proxy and a gateway container.

when trying to route traffic through the load balancer, i receive errors on the proxy end :

[error] 63#63: *49 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 172.21.0.1, server: , request: "GET /myurl HTTP/1.1", upstream: "https://172.21.0.4:8080/myurl", host: "vdt2044:8400"

also krakend logs this error:

2022/08/12 03:14:04 http: TLS handshake error from 172.21.0.5:52614: tls: client offered only unsupported versions: [303 302 301]

I tried different cypher settings for tls, but no luck so far.

this is the nginx config :

    upstream loadbalancer {
        least_conn;
        #server 172.21.0.10:8180;
        #server 172.21.0.8:8280;
        server krakend20:8080;
       
    }

    server {
        listen 8400 ssl;
        ssl_verify_client       off;

        ssl_certificate         /etc/nginx/ssl/server.crt;
        ssl_certificate_key     /etc/nginx/ssl/server.key;
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 10m;
        proxy_ssl_verify off;

       
        ssl_protocols                   TLSv1.3;
        #ssl_ciphers                     ECDHE-ECDSA-AES256-GCM-SHA384;
        ssl_conf_command Ciphersuites   TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=31536000";        
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_redirect off;
            proxy_ssl_verify off;
            proxy_pass https://loadbalancer;
        }
    }

and krakend.json config
  "tls": {
    "public_key": "/etc/krakend/krakend20.crt",
    "private_key": "/etc/krakend/krakend20.key",
    "min_version":"TLS13",
    "max_version": "TLS13"
   
  }


all CRTs are self signed

what is the mismatch, or how to setup the encrypted communication?

thanks for any insights

Matt

MP COV

unread,
Aug 12, 2022, 3:21:19 PM8/12/22
to KrakenD Community, MP COV
FYI, this is based on 
devopsfaith/krakend:2.0.4 
nginex:latest

images

MP COV

unread,
Aug 12, 2022, 4:09:21 PM8/12/22
to KrakenD Community, MP COV
also happens on the latest krakend version

Daniel Lopez

unread,
Aug 18, 2022, 12:48:25 PM8/18/22
to KrakenD Community, matt.pe...@gmail.com
Hi Matt,

the krakend log is telling you that the client (nginx) is not offering TLS1.3 but TLS1.0, TLS1.1 and TLS1.2

also, you could add the TLS1.3 cipher suites to the mix (https://www.krakend.io/docs/service-settings/tls/#tls-configuration) because they are not included into the default set.

Kind regards
Reply all
Reply to author
Forward
0 new messages