nginx反向代理htps访问502

背景

为解决国内访问国外站点的问题(https://wwwcie.ups.com/)，通过香港nginx进行反向代理国外站点，来解决访问慢的问题，正常一段时间，今天访问提示502

[root@localhost]# curl -I https://wwwcieups.xxxx.com
HTTP/1.1 502 Bad Gateway
Server: nginx
Date: Tue, 12 Apr 2022 08:18:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 166
Connection: keep-alive

分析过程

首先检查nginx日志发现如下错误

2022/04/12 03:50:15 [error] 48440#0: *103139221 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 10.19.0.12, server: wwwcieups.xxx.com, request: "GET / HTTP/1.1", upstream: "https://69.192.218.57:443/", host: "wwwcieups.xxx.com"

握手失败，测试后端代理域名ssl是否正常

[root@localhost]# openssl s_client -connect wwwcieups.xxx.com:443

[root@localhost]# openssl s_client -connect wwwcieups.xxx.com:443 -servername wwwcieups.xxx.com

后端服务需要代理发送SNI才能正常工作，如果代理服务器不发送SNI，会返回502错误。

解决

nginx配置增加如下配置

location / { 
        proxy_pass https://wwwcie.ups.com/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host "wwwcie.ups.com";
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_ssl_server_name on;
    }