TLS handshake error

[plaffitt]

Hello,

I'm getting TLS errors when using this plugin (I stripped IP addresses for privacy concerns):

$ curl -v https://xxx.yyy/
*   Trying xxx.xxx.xxx.x:443...
* TCP_NODELAY set
* Connected to xxx.yyy (xxx.xxx.xxx.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 

{"level":"debug","ts":1662558661.0007904,"logger":"http.stdlib","msg":"http: TLS handshake error from xx.xxx.xxx.xxx:3803: invalid signature"}

Here is my caddyfile:

{
	debug
	servers {
		listener_wrappers {
			proxy_protocol {
				timeout 5s
				allow 0.0.0.0/0
			}
			tls
		}
	}
}

xxx.yyy {
	reverse_proxy sftpgo:8080 # I run this in docker-compose, so sftpgo is a docker containe
}

I don't understand what I'm doing wrong.

[Anduin2017]

Same here.

$ curl -v https://books.aiursoft.cn
*   Trying 192.168.50.80:443...
* Connected to books.aiursoft.cn (192.168.50.80) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to books.aiursoft.cn:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to books.aiursoft.cn:443

[Anduin2017]

Hi, @paullaffitte I finally solved this!

The solution is: Set the allow attribute to use this plugin only when the request is coming from the trusted reverse proxy server IP.

For example, I'm using frp as a reverse proxy. And it works at 127.0.0.1. So I set it as:

{
	servers :443 {
		listener_wrappers {
			proxy_protocol {
				timeout 2s
				allow 127.0.0.1/32
			}
			http_redirect
			tls
		}
	}
}

After that, my direct HTTP request won't hit this plugin and doesn't have this issue.

[plaffitt]

In my case, caddy is my reverse proxy server, so it doesn't work for me.

[mwild1]

This error was happening for me when the request coming in to caddy did not include the PROXY protocol header. You can use the --haproxy-protocol flag for curl to test this.

As an earlier comment says, the solution is to ensure that the allow directive specifies only IP addresses of your trusted proxies, and that they are always sending the PROXY protocol data.