Error 523 on nginx reverse proxy subdomain

Answer these questions to help the Community help you with Security questions.

What is the domain name?
webmin.domain.com
It’s a reverse proxy for webmin as a subdomain.
Have you searched for an answer?
For days

Please share your search results url:
What?

When you tested your domain, what were the results?
The main domain works fine. The main domain is under the same Cloudflare account, proxied and DNS managed, but pointing at server1.
Subdomain webmin is pointing at server2 using an A record under the same Cloudflare account. Also proxied.

Describe the issue you are having:
Error 523 on webmin.domain.com

What error message or number are you receiving?
523

What steps have you taken to resolve the issue?

  1. Used universal SSL to encrypt the origin server
  2. Toggled SSL from flexible to full to full (strict) and back to off
  3. Redid the whole nginx config
  4. Wiped my server and tried again

Was the site working with SSL prior to adding it to Cloudflare?
The site did not exist with SSL prior to adding it to Cloudflare. But Webmin does work at ipv4:xxxx

What are the steps to reproduce the error:

  1. Go to the url? lol
  2. Get frustrated
  3. Try everything
  4. Give up
  5. Come here hoping for a solution

Have you tried from another browser and/or incognito mode?
Yes
Please attach a screenshot of the error:
Bro

Here is my webmin.conf:

upstream webmin-upstream {
server localhost:10000;
}
server {
listen webmin.domain.com:80 http2;
listen [::]:80 http2;
return 302 https://$host$request_uri;
}

server {
listen localhost:443 ssl http2;
listen [::]:443 ssl http2;
# server names for this server.
# any requests that come in that match any these names will use the proxy.
server_name webmin.domain.com;
ssl_certificate /.domain/universalssl.pem;
ssl_certificate_key /
.domain/universalssl.key;
ssl_protocols TLSv1.2 TLSv1.3;
keepalive_timeout 70;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
#add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
location / {

            # set some headers and proxy stuff.
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_redirect off;
            # include Host header
            proxy_set_header Host $http_host;

            # proxy request to webmin server
            proxy_pass `https://localhost:10000/`;

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_ssl_verify_depth 2;
            proxy_http_version            1.1;
 proxy_headers_hash_max_size 512;
 proxy_headers_hash_bucket_size 128;
# proxy_pass_header X-CSRFToken;
            proxy_ssl_protocols TLSv1.2 TLSv1.3;
            proxy_ssl_server_name on;
            proxy_ssl_name `webmin.domain.com`;
            # Fixes initial redirect after login
            proxy_redirect `https://$host:10000/` `https://$http_host/`;
    }

}

My nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/
.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /var/www/;
include /etc/nginx/default.d/.conf;
error_page 404 /404.html;
location = /404.html {
}
location = /50x.html {
}
location / {
root /var/www;
}
}
ssl_certificate /
.domain/universalssl.pem;
ssl_certificate_key /.domain/universalssl.key;
ssl_protocols TLSv1.2 TLSv1.3;
keepalive_timeout 70;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/ssl/d>
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; pre>
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
}
/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/
.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /var/www/;
include /etc/nginx/default.d/.conf;
error_page 404 /404.html;
location = /404.html {
}
location / {
root /var/www;
}
}
ssl_certificate /
.domain/universalssl.pem;
ssl_certificate_key /.domain/universalssl.key;
ssl_protocols TLSv1.2 TLSv1.3;
keepalive_timeout 70;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # openssl dhparam -out /etc/nginx/ssl/d>
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; pre>
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
}
[/quote]

You could just proxy directly to webmin from webmin.example.com by telling Cloudflare to connect to port 10000 on your origin using origin rules and then you won’t need the nginx proxy.

1 Like

Genius! I had no idea this was possible. Perfect way to bypass all of these issues, at least for testing.

Error 52Three is now 52Six “Invalid SSL Cert”. I’m using Cloudlfare’s universal SSL with wild card. I have two Universal SSL certificates, one for the IP address of each of my servers.

But how do my origin SSL certs come in to play here? I imagine nginx is being bypassed completely right now. So it’s using Webmin’s miniserv cert? I’m able to access Webmin through `http ipv4:port but not https ipv4:port. That throws a SSL Pr0tocol Error.

Upon updating Webmin’s miniserv cert to Cloudflare’s Universal cert that will include my webmin subdomain under its * wildcard, the error changed to T0O MANY REDIRECTS. No errors in miniserv logs, webmin logs, syslog or nginx log.

Webmin is still accessible through http ipv4:port and trying to access it through https ipv4:port still throws SSL Pr0tocol Error.

Not sure what else I can try considering nginx/server configuration has been rendered completely irrelevant.

Your SSL/TLS setting is probably set to “Flexible”. In that case Cloudflare is connecting to your origin only over HTTP.

https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls

You should set it to Full (strict) (and force HTTP-HTTPS redirect on Cloudflare) then you will get HTTPS between client and Cloudflare then Cloudflare and origin. However, using the default Webmin cert will throw an error via Cloudflare as it’s not signed by a CA.

You can use “Full” temporarily to check it works, but as this ignores self-signed and expired certificates, it’s not secure so you need a proper certificate. That could be from Letsencrypt or you can download an origin certificate from Cloudflare. The latter is only trusted by Cloudflare and will give a browser warning if you try to connect direct to your origin so a LE certificate might be better for you.

I toggled all the modes. The redirect is thrown on off, flexible works, and Invalid SSL is thrown on Full and Full (script).

My origin certificate from Cloudflare is included in my cert file.

I don’t mind leaving it on flexible for now, but I would prefer to put it back on full (strict). This is definitely a net win compared to before when it wasn’t accessible at all.

Yes always use Full (strict), don’t settle for less. Debug the SSL to get it to work when you connect directly to the origin (aside from certificate warning due to the Cloudflare cert), then Cloudflare should be able to do the same.

I haven’t received a (bypassable) certificate warning. Only SSL Protocol Error, Invalid SSL Error, and too many redirects.

Do you have any other ideas for what I could try?

Are those errors when accessing the host name through Cloudflare?

You need to make sure you can connect directly to your origin server over HTTPS on port 10000 (that’s when you should get the certificate warning) and ensure that your server is delivering the Cloudflare origin certificate and not something else (which is what would cause the errors you are seeing when going through Cloudflare).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.