Continuing attempting to configure nginx to use a reverse proxy to radicale that is running on local host and I'm now getting SSL errors having followed the documentation on proxy I created my own SSL certificates.
The relevant section of my nginx configuration is
location /radicale/ {
proxy_pass http://127.0.0.1:9468/;
#proxy_pass http://46.105.31.182:9468/;
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-User $remote_user;
auth_basic "Radicale - Password Required";
auth_basic_user_file /etc/radicale/users;
proxy_ssl_verify on;
proxy_ssl_certificate /etc/radicale/client_cert.pem;
proxy_ssl_certificate_key /etc/radicale/client_key.pem;
proxy_ssl_trusted_certificate /etc/radicale/server_cert.pem;
}
...and my radicale config for SSL certificates is...
[server]
hosts = 127.0.0.1:9468
ssl = true
certificate = /etc/radicale/server_cert.pem
key = /etc/radicale/server_key.pem
certificate_authority = /etc/radicale/client_cert.pem
[auth]
type = http_x_remote_user
htpasswd_filename = /etc/radicale/users
htpasswd_encryption = bcrypt
If I go to the site https://####/radicale I'm prompted for username and password for authentication, but nginx then returns the following error...
upstream prematurely closed connection while reading response header from upstream, client: 62.253.154.162, server: #####, request: "GEET /radicale/ HTTP/2.0", upstream: "http://127.0.0.1:9468/", host: "####"
...and upstream Radicale reports...
ERROR: An exception occurred during request: SSL handshake failed: [SSL: HTTP_REQUEST] http request (_ssl.c:1076)
If I disable SSL between the reverse proxy on Radicale and nginx then its not a problem, I can access the WebUI https://####/radicale and I can login. But if I enable it then going to https://####/radicale and I get a pop-up box asking me for username/password and the browser reports 502 Bad Gateway and the above errors occur again.
I do have LetsEncrypt certificates in place and working on my domain could this be causing some sort of conflict with the SSL certificates being used for the reverse proxy?
According to the Nginx documentation
proxy_ssl_certificateproxy_ssl_certificate_keyare relevant if you want the NGINX identify itself to the upstream servers by using an SSL client certificate provided. You will also need to configure the upstream servers to require client certificates for all incoming SSL connectionsI believe Radicale is not handling authentication by client certificate and your Radicale server is listening on
127.0.0.1so by configuring SSL on Radicale you basically trying to encrypt traffic on localhost.Another point in your configuration.
Your authentication part is already handled by Radicale itself. There is no point to add these lines on revers proxy.
I suggest to:
If you still want to encrypt traffic between revers proxy and Radicale simply remove client certificate part and add
proxy_ssl_nameproxy_ssl_nameis required to avoid the errorThis is due to the fact that the name used to be verified against the SSL certificate name is the $proxy_host by default.
I know this is an old thread, but for the record I got it working like this...
I'm using a separate sub-domain like radicale.example.com, and the script is at
/within that, so that's whatX-Script-Nameis set to. I use letsencrypt/certbot for the certificates.The nginx stanza is:
}
No SSL settings are required within the Radicale config, and I'm letting Radicale handle user passwords.