Coming soon - Get a detailed view of why an account is flagged as spam!
view details

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

1
Nginx - 2 'Similar' Upstreams Work?
Post Flair (click to view more posts with a particular flair)
Question
Post Body

I noticed something on an nginx config. There are 2 upstream blocks configured that are exactly the same:

upstream test1.example.com {
    server flaskapp.example.com:5000
}

server {
    listen 443 ssl;
    proxy_pass test1.example.com;
    ssl_certificate /opt/certs/example1.com.crt;
    ssl_certificate_key /opt/example1.com.key;
    ssl_protocols TLSv1.2;
    ssl ciphers "ECDHE-ECDSA-AES128-GCM-SHA256"
}

upstream test2.example.com {
    server flaskapp.example.com:5000
}

server {
    listen 443 ssl;
    proxy_pass test2.test.com;
    ssl_certificate /opt/certs/test.com.crt;
    ssl_certificate_key /opt/test.com.key;
    ssl_protocols TLSv1.2;
    ssl ciphers "ECDHE-ECDSA-AES128-GCM-SHA256"
}

I have 2 server blocks listening on port 443. So I have the same server listening for 2 separate connections on the same block... if that makes sense.

My thought was that this would fail because the same server listening for incoming https connections to test1 and test2.example.com wouldn't know 'where' to route the requests too. But that's not what's happening.

If I go to https://test1.example.com I am routed to the correct app. And https works as expected.

If I go to https://test2.example.com I am routed to the correct app. But https does not work as expected. This is confusing because both certs are wildcard certs. I am unsure why 1 succeeded and one failed.

If I comment out the first upstream block:

# upstream test1.example.com { server flaskapp.example.com:5000 }
# server {proxy_pass test1.example.com; }

Something stranger happens. Connecting to https://test2.test.com gives me a 'failed to connect to server' error message in my web browser. And the logs show this as the error:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

This is for test1.example.com, and I know the wildcard cert works. I'm using it elsewhere. So I'm unsure why I'm getting a 'failed to connect to server' error when I go to test1.example.com in this manner.

A few things to note:

  1. Both test1.example.com and test2.test.com point to the same nginx server.
  2. If both upstream/server blocks are working then test1.example.com shows the site is ssl secure. That is expected. But test2.test.com shows the website is insecure. This leads me to believe that only the first server/upstream block is working as expected. And the 2nd server/upstream block is being ignored.
  3. #2 actually does make sense, in that a server shouldn't be listening for incoming connections to the same port, and route to different servers. The proxy doesn't know what to do with 1 of the connections (bad explanation on my part).
  4. But that doesn't explain why the 2nd server/upstream block would outright fail. Even when test2.example.com is the only server/upstream block configured.

Any advice is appreciate, thank you for your time and consideration. This is something I've been struggling to understand and make heads/tails of.

  • bossrhino

Author
Account Strength
100%
Account Age
12 years
Verified Email
Yes
Verified Flair
No
Total Karma
34,362
Link Karma
3,056
Comment Karma
31,193
Profile updated: 5 days ago
Posts updated: 1 year ago
acebossrhino

Subreddit

r/sysadmin

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
3 years ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/sysadmin/co...