nginx reverse-proxy upgrade from nginx 1.17 to nginx 1.18 gives SSL error

nginx reverse-proxy iis

I am having trouble upgrading nginx from 1.17 to 1.18 (or .19, .20) Everything works ok on 1.17, but higher versions give this error:

2021/08/27 01:14:45 [error] 22#22: *8 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: 192.168.**.**, server: api*******.hm.*******.gov.br, request: "GET /favicon.ico HTTP/1.1", upstream: "https://192.168.**.**:443/favicon.ico", host: "api*******.hm.********.gov.br"

The error only happens when upstream is a internal IIS server. When upstream is another nginx it works with versions above 1.17

config is basically:

location  / {
    proxy_pass https://$host.***.br$uri$is_args$args;

I tried to use proxy_ssl_verify off without success. IIS certificate is self-generated.

Please advise


Solution 1:

This looks like a problem with TLS versions. Maybe your backend IIS server isn't new enough to support TLS protocol that nginx requires?

Try adding proxy_ssl_protocols directive that contains the SSL / TLS versions your IIS supports.

Related

Why K8S statefulsets volumeClaimTemplates status is pending , but the pod, pvc, pv are all fine?
Upgrading Server Storage (Single 4TB SSD, Ubuntu Server)
Apache2 access.log has multiple lines that say "combine"
Upgrading nginx to latest stable 1.20 but reverts to 1.18 when reinstalling modules in Ubuntu 18.04 [closed]
Turn off email notification from abrt (Automatic Bug Reporting Tool)
PHP "mysqli.so: undefined symbol: mysqlnd_connect in Unknown on line 0"
Active Directory: pinpoint cause for access denied when modifying objects
Content-Security-Policy for Exchange 2016
How do I diagnose my Python program being killed due to an out-of-memory error?
Stop outlook blocking me when I use a VPN?
How to stop Terminal from using special characters?
How do I Employ CJK's AppleScript "makeASDate" Handler Without Error?