caddy2-proxyprotocol icon indicating copy to clipboard operation
caddy2-proxyprotocol copied to clipboard

Published 20 hours ago verified publisher icon mastercactapus

TLS handshake error

Open plaffitt opened this issue 3 years ago • 3 comments

Hello,

I'm getting TLS errors when using this plugin (I stripped IP addresses for privacy concerns):

$ curl -v https://xxx.yyy/
*   Trying xxx.xxx.xxx.x:443...
* TCP_NODELAY set
* Connected to xxx.yyy (xxx.xxx.xxx.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 

{"level":"debug","ts":1662558661.0007904,"logger":"http.stdlib","msg":"http: TLS handshake error from xx.xxx.xxx.xxx:3803: invalid signature"}

Here is my caddyfile:

{
	debug
	servers {
		listener_wrappers {
			proxy_protocol {
				timeout 5s
				allow 0.0.0.0/0
			}
			tls
		}
	}
}

xxx.yyy {
	reverse_proxy sftpgo:8080 # I run this in docker-compose, so sftpgo is a docker containe
}

I don't understand what I'm doing wrong.

plaffitt avatar Sep 07 '22 14:09 plaffitt

Same here.

$ curl -v https://books.aiursoft.cn
*   Trying 192.168.50.80:443...
* Connected to books.aiursoft.cn (192.168.50.80) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to books.aiursoft.cn:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to books.aiursoft.cn:443

Anduin2017 avatar Oct 07 '22 19:10 Anduin2017

Hi, @paullaffitte I finally solved this!

The solution is: Set the allow attribute to use this plugin only when the request is coming from the trusted reverse proxy server IP.

For example, I'm using frp as a reverse proxy. And it works at 127.0.0.1. So I set it as:

{
	servers :443 {
		listener_wrappers {
			proxy_protocol {
				timeout 2s
				allow 127.0.0.1/32
			}
			http_redirect
			tls
		}
	}
}

After that, my direct HTTP request won't hit this plugin and doesn't have this issue.

Anduin2017 avatar Oct 07 '22 20:10 Anduin2017

In my case, caddy is my reverse proxy server, so it doesn't work for me.

plaffitt avatar Oct 14 '22 10:10 plaffitt