DoT --> nginx --> unbound

Sun Mar 26 20:23:16 UTC 2023

Hello, I was trying to set up a DoT -> nginx -> unbound scheme but 
encountered some errors. Below is the configuration of the servers and 
the errors they output to the logs. What could be the problem?

unbound: 1.17.1

nginx: 1.22.1

OS: 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

nginx config:

stream {
     upstream dns {
         zone dns 64k;
         server [::1]:853;
     }

     server {
         listen <ext_ipv4>:853 ssl;
         listen <ext_ipv6>:853 ssl;
         ssl_certificate fullchain.pem;
         ssl_certificate_key privkey.pem;
         proxy_pass dns;
         proxy_protocol on;
      }
}

unbound config:

server:
     access-control: 0.0.0.0/0 allow
     access-control: ::/0 allow
     interface: ::1 at 853
     proxy-protocol-port: 853

unbound log:

error: proxy_protocol: could not parse PROXYv2 header

nginx log:

SSL_shutdown() failed (SSL: error:14094123:SSL 
routines:ssl3_read_bytes:application data after close notify) while 
proxying connection, client: <client_ipv4>, server: <server_ipv4>:853, 
upstream: "[::1]:853", bytes from/to client:0/0, bytes from/to upstream:0/0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230326/b52dab5a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x2B095C72D7D01E22.asc
Type: application/pgp-keys
Size: 632 bytes
Desc: OpenPGP public key
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230326/b52dab5a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230326/b52dab5a/attachment-0001.bin>