Nginx Proxy Manager Coudflare SSL Handshake issue

[Agus-Wei]

Hi everyone,

I'm relatively new to Proxmox and have hit a wall trying to set up a Wireguard tunnel for my web services. I've searched the forum and read the documentation, but I can't seem to resolve an SSL 525 error.

My Goal​
To route traffic from Cloudflare through a Wireguard tunnel to an NPM (Nginx Proxy Manager) instance running inside a Proxmox LXC container, all for added security.

My Network Setup​
The traffic flow is: Internet -> Cloudflare -> VPS (WG Server) -> Proxmox LXC (NPM) with WG Client

• Cloudflare: DNS and proxy enabled (orange cloud).
• VPS (Wireguard Server): Has a public IP. Runs a Wireguard server. This part is confirmed working.
• LXC NPM: The final destination for web traffic.

The Problem​
When I try to access my domain, I get a Cloudflare 525 "SSL handshake failed" error. This indicates that Cloudflare can reach my VPS, and the VPS can probably forward the traffic through the tunnel, but the NPM instance behind the tunnel is either not responding correctly or not completing the TLS handshake.

Key Details & What I've Checked​
The issue does not happens when I run NPM docker on debian 13 standard CT.
The issue only occur when I use NPM community script

Wireguard Config

Server
    interface: wg1
      public key: (hidden)
      private key: (hidden)
      listening port: 51820

    peer: xxxxx/c9aSk=
      endpoint: xx.xx.xx.xx:34520
      allowed ips: 10.200.200.2/32
      latest handshake: 1 minute, 43 seconds ago
      transfer: 177.78 KiB received, 1.41 MiB sent

    Client
    interface: wg1
      public key: (hidden)
      private key: (hidden)
      listening port: 40580
      fwmark: 0xca6c

    peer: xxxxxxx=
      endpoint: xx.xx.xx.xx:51820
      allowed ips: 0.0.0.0/0
      latest handshake: 2 seconds ago
      transfer: 92 B received, 180 B sent
      persistent keepalive: every 25 seconds

[rahulc07]

Just fixed the problem on regular nginx, Cloudflare doesn't like the order that nginx presents the ssl ciphers on newer versions of nginx. I edited /etc/letsencrypt/options-ssl-nginx.conf

# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers off;
ssl_prefer_server_ciphers on;

#ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;";

(comments are the old entries)

I don't know if NPM uses a different file for SSL entries but doing a grep -r ssl_ciphers should give you where it is.