TLS pass-through via nginx giving SSL certificate problem

Question

I have a service that's currently fronted by AWS' API Gateway. API Gateway does not offer static ("elastic", in aws parlance) IPs. A client requires the ability to hit the API while using an IP allowlist, so i've been attempting to configure a (dockerized) nginx proxy on an instance with an elastic IP. I'm able to get a response from API Gateway via the proxy, but it's complaining about SSL.

From a browser, addressing the instance's IP: "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

From a shell on the instance itself:

# curl -v https://localhost:443
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My nginx.conf is very basic:

events {}
stream {
    upstream test_api {
        server my.domain.placeholder.com:443;
    }
    server {
        listen 443;
        proxy_pass test_api;
    }
}

I've been using the docs at https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/# but have not had any success.

Can anyone offer any insight on using nginx streams for this use case? I'd prefer not to terminate SSL on nginx itself and just use it as a TLS pass-through if possible.

question from:https://stackoverflow.com/questions/65876706/tls-pass-through-via-nginx-giving-ssl-certificate-problem

Answer 1

Update/resolution: To test this problem, I configured haproxy as a passthrough proxy instead of nginx, and had the exact same result. Apache/httpd too! So, I started to suspect my testing methods and found them to be the source of the failure. See https://stackoverflow.com/a/46355026/3620843

TL;DR: my curl invocation was failing because I was asking the server for "localhost", which of course did not resolve to the backend server. Based on that, it stands to reason that requesting the frontend server's IP in a browser would react similarly.

What's needed is curl's --resolve option.

This works: curl -v --resolve example.com:443:127.0.0.1 https://example.com