NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.9k stars 2.66k forks source link

routines:ssl3_read_bytes:tlsv1 unrecognized name #2742

Open franciscopaniskaseker opened 1 year ago

franciscopaniskaseker commented 1 year ago

Checklist

Describe the bug When I execute this curl

curl https://192.168.1.173:443
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name

I got tlsv1 error. Intried to enable tlsv1 and setup a cert, but did not work. Is this an openresty problem or npm config?

Nginx Proxy Manager Version latest, installed yesterday.

To Reproduce just execute the curl under https://ip:443

Expected behavior passthrough ssl handshake without problems.

Operating System ubuntu 20.05

Balder1840 commented 1 year ago

I got the same issue when set the proxy_host's Domain Name as an IP address. It seems that the SNI does not support literal IP address.

check following links: https://serverfault.com/questions/1047374/nginx-and-https-specifying-an-ip-address-as-a-server-name-gives-the-correct-we https://nginx.org/en/docs/http/configuring_https_servers.html https://github.com/openssl/openssl/issues/8083 https://github.com/haproxy/haproxy/issues/332#issuecomment-544969151 https://www.rfc-editor.org/rfc/rfc6066#section-3 https://www.ietf.org/archive/id/draft-nygren-tls-ip-in-sni-00.html

And please let me know if u solved this. Thanks.

dinbtechit commented 7 months ago

I'm having the same issue here. Unfortunately not sure how to fix it. As per the suggestion in #3627 I created a self-signed cert and uploaded it as a custom cert and restarted the nginx proxy but still the https is not working.

I poked around the configuration a bit. The Ngixs 443 SSL configuration does not appear to have any location.

Exec into the container:

docker-compose exec app bash

and view the ngxis default.conf file

[root@docker-f4926e3b49c5:/etc/nginx/conf.d]# cat default.conf
# "You are not configured" page, which is the default if another default doesn't exist
server {
    listen 80;
    listen [::]:80;

    set $forward_scheme "http";
    set $server "127.0.0.1";
    set $port "80";

    server_name localhost-nginx-proxy-manager;
    access_log /data/logs/fallback_access.log standard;
    error_log /data/logs/fallback_error.log warn;
    include conf.d/include/assets.conf;
    include conf.d/include/block-exploits.conf;
    include conf.d/include/letsencrypt-acme-challenge.conf;

    location / {
        index index.html;
        root /var/www/html;
    }
}

# First 443 Host, which is the default if another default doesn't exist
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    set $forward_scheme "https";
    set $server "127.0.0.1";
    set $port "443";

    server_name localhost;
    access_log /data/logs/fallback_access.log standard;
    error_log /dev/null crit;
    include conf.d/include/ssl-ciphers.conf;
    ssl_reject_handshake on;

    return 444;
}

There is some documentation on how to override the nginx config but no idea how to update the server 443 session. https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations

Hope someone who has a better knowledge ngix Proxy manager can help to figure out how to fix this. 🙏🙏

akuznecov commented 7 months ago

Hello !

Just faced with same issue and seems it caused by ssl_reject_handshake on; instruction set on NPM virtual hosts configurations.

To avoid it you have to use modified cURL command, for example:

curl -k -I -X GET --resolve doman.name:80:192.168.0.228 https://domain.name

Additionally, on advanced configurations, when you have extra proxy server in front of NPM, then you have to add next lines on this extra proxy configuration (not to NPM):

  proxy_ssl_server_name  on;
  proxy_ssl_name         $http_host;
stefano-cherchi commented 4 months ago

Just faced the same problem and the reason was I forgot to add

 proxy_ssl_server_name  on;

to my configuration

k4mil666 commented 1 month ago

Hello,

I'm currently facing this issue and attempted the suggested solution mentioned here, but unfortunately, it didn’t work for me. Has anyone managed to resolve this successfully? I would appreciate any advice or alternative solutions.

root@kk:~# curl https://192.168.2.17/
curl: (35) error:0A000458:SSL routines::t

Thank you in advance!

k4mil666 commented 1 month ago

I managed to resolve the issue. The problem is that curl in its basic form (without additional options) doesn't send an SNI when an IP address is provided in the URL. In configuration, there's an option ssl_reject_handshake in the default.conf, which rejects connections without an SNI.

To solve this, you can create a file in data/custom/ called http_top.conf and include your configuration without this option. After that, the connection to the IP address should work.