Runing unbound doh behind nginx

I'm trying to run unbound DoH behind nginx but I'm getting a 502 Bad Gateway error.

In nginx log I have the following message:

2021/03/25 08:54:49 [error] 10052#10052: *1 upstream prematurely closed connection while reading response header from upstream, client: 127.0.0.1, server: , request: "GET /dns-query?dns=AAABAAABAAAAAAABBXBlcmR1A2NvbQAAAQABAAApEAAAAIAAAAA HTTP/2.0", upstream: "https://10.0.159.133:443/dns-query?dns=AAABAAABAAAAAAABBXBlcmR1A2NvbQAAAQABAAApEAAAAIAAAAA", host: "127.0.0.1"

and unbound show only that:

[1616662996] unbound[28782:1] debug: comm point start listening 71 (30000 msec)
[1616662996] unbound[28782:1] debug: startlistening 71 mode r
[1616662996] unbound[28782:1] debug: SSL connection ip4 10.0.159.35 port 41552 (len 16)
[1616662996] unbound[28782:1] debug: comm_point_close of 71: event_del
[1616662996] unbound[28782:1] debug: close fd 71

I have the following nginx configuration:

    location /dns-query {
                    proxy_ssl_verify off;
                    proxy_pass https://unbound-host;
    }

What am I missing?

Solution 1:

Unbound DoH is waiting HTTP/2 requests. But Nginx proxy module doesn't support HTTP/2 on the upstream connections. So you can use grpc proxy:

location /dns-query {
    grpc_pass grpc://unbound-host;
}

and disable TLS for DNS-over-HTTP downstream service in unbound.conf:

http-notls-downstream: yes