New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL received a record that exceeded the maximum permissible length. #1546
Comments
Hi. Do you get the same error in a different browser ? |
What version of the companion container are you running ? Could you provide:
You can obfuscate domains, mails or any other private infos from the configuration if needed but please provide the full configuration and not just snippets of what seems relevant to you. |
Sorry for the late response. docker-compose file: version: '3'
services:
proxy:
image: jwilder/nginx-proxy
labels:
- "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
container_name: proxy
ports:
- 443:443
- 80:80
volumes:
- ./proxy/conf.d:/etc/nginx/conf.d:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- ./proxy/certs:/etc/nginx/certs:ro
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: letsencrypt
depends_on:
- proxy
volumes:
- ./proxy/certs:/etc/nginx/certs:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped I have it with all the proxied containers...
|
That's not what appears to be causing the issue, but worth mentioning if you don't want to hit other issues down the road:
Your certs appears to be issued correctly so this issue might not be with Do you have custom configuration files in |
No, don't have any there. |
Could your provide the logs of |
I shortened the log a little because it was the same every time after this. |
I honestly have no idea what those log line with hex characters are. They don't decode to anything readable. Edit: most probably the background probing / hacking attempt on a public server. |
Normal operation when trying to connect to http://your.domain.tld should look like this:
You get a first request with HTTP 1.1 that get answered by a 301 (permanent redirection to HTTPS), then a second request with HTTP 2.0 that get answered by a 200. Both request display the correct HTTP |
Could you provid the content of nginx-proxy's
|
I know, it's really weird. # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# nextcloud.thomasb.info
upstream nextcloud.thomasb.info {
# Cannot connect to network of this container
server 127.0.0.1 down;
}
server {
server_name nextcloud.thomasb.info;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nextcloud.thomasb.info;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nextcloud.thomasb.info.crt;
ssl_certificate_key /etc/nginx/certs/nextcloud.thomasb.info.key;
ssl_dhparam /etc/nginx/certs/nextcloud.thomasb.info.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/nextcloud.thomasb.info.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://nextcloud.thomasb.info;
}
}
# office-next.thomasb.info
upstream office-next.thomasb.info {
# Cannot connect to network of this container
server 127.0.0.1 down;
}
server {
server_name office-next.thomasb.info;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location /.well-known/acme-challenge/ {
auth_basic off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name office-next.thomasb.info;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/office-next.thomasb.info.crt;
ssl_certificate_key /etc/nginx/certs/office-next.thomasb.info.key;
ssl_dhparam /etc/nginx/certs/office-next.thomasb.info.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/office-next.thomasb.info.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://office-next.thomasb.info;
}
} |
By the way, when I first got this error, I just tried it all over again from the beginning. (New containers, everything) And I got exactly the same error. |
Are you sure your proxied containers are in the same Docker network as the proxy container ? |
I just check it, yes there are. |
Here is the diff between your conf and what a working conf would look like, extrapolated from one of my running hosts: --- ./issue.conf 2020-12-30 15:27:02.000000000 +0100
+++ ./working.conf 2020-12-30 15:27:08.000000000 +0100
@@ -19,7 +19,6 @@
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
-ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
@@ -33,7 +32,6 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
-resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
@@ -65,8 +63,11 @@
}
# nextcloud.thomasb.info
upstream nextcloud.thomasb.info {
# Cannot connect to network of this container
server 127.0.0.1 down;
+ ## Can be connected with "nginx-proxy" network
+ # nextcloud
+ server 172.18.0.7:80;
}
server {
server_name nextcloud.thomasb.info;
@@ -88,6 +89,9 @@
server_name nextcloud.thomasb.info;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+ ssl_prefer_server_ciphers off;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; You can ignore the The real issues is the content of the I'll stop there with this issue and transfer it to |
Thanks for your time @buchdag !! |
Got one more idea, on what kind of host (OS, Docker version, etc) are you running those containers ? Is this something like Amazon ECS ? |
OS: Ubuntu 20.04.1 LTS |
Ok that might not be what I had in mind either. Just to be sure, can you provide the output of
|
This is the output: Otherwise I can try the way you have it running, nginx + docker-gen. |
No luck, I thought it was another instance of nginx-proxy/docker-gen#315 |
Well, still thanks! I am going to try nginx + docker-gen. I will let you know if I found the solution. |
I'd recommend you start with the rather large number of similar |
Unfortunately, all the solutions, of the closed issues, of those two pages of issue do not work for me. |
Unfortunately, it all doesn't work for me. :( |
I just set the log level to info. |
@Th0masDB recent changes to |
I use nginx-proxy and the letsencrypt-nginx-proxy-companion now a year. But now I get this message. And I really don't how to get it away. Maybe I do something wrong.
Thanks for the help!
logs.zip
The text was updated successfully, but these errors were encountered: