Media proxy cache to TLS 1.3 only server causes 502 Bad Gateway
futzle opened this issue · comments
Issue
A remote server has been configured to reject anything older than TLS 1.2. When viewing media (also user avatar) of that user, the image is not fetched from the remote server.
Fetching the URL of the image directly reveals a 502 error, and this appears in the nginx logs:
2024/01/22 03:28:25 [error] 16173#16173: *8880 SSL_do_handshake() failed (SSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 127.0.0.1, server: _, request: "GET /proxy/identity_icon/272092855970203730/dcbe4399b4.jpg HTTP/1.0", upstream: "https://xxx.xxx.xxx.xxx:443/system/accounts/avatars/110/993/047/569/445/068/original/0287dcf030a0aa4d.jpg", host: "fedi.vision", referrer: "https://fedi.vision/admin/identities/"
Possible cause
It seems that nginx forwards proxied requests using TLS 1.2 by default.
Possible fix
Add to /etc/nginx/conf.d/default.conf[.tpl] the proxy_ssl_protocols
parameter:
location ~* ^/(media|proxy) {
# ...
# Proxy over TLS 1.3 and 1.2
proxy_ssl_protocols TLSv1.2 TLSv1.3;
}
After restarting the nginx service, the image fetches.
Version
Takahē 0.10.1
Disclaimer: my installation is non-standard and been de-Dockerized. I am also not very knowledgeable about nginx so I can't say if this breaks something else.
Edit: multiple typos
Given that the blessed configuration (use the published container) does not handle TLS termination, it is not clear this problem is applicable.
TLS termination
It's not about TLS termination for incoming requests, it's about making outgoing TLS requests for proxied media hosted on a third-party server. Pretty sure that the Docker container's copy of nginx still does that:
OH I see, ok.
Yeah, that's a problem