DoT --> nginx --> unbound
Leen Besselink
leen at consolejunkie.net
Tue Mar 28 06:17:26 UTC 2023
Hi,
I don't have any experience with nginx for DNS, but when things aren't
working, the best thing to do is disable proxy-protocol on all and see
if it works. Then add proxy-protocol after.
My guess is you need to put proxy_protocol on; in upstream dns to tell
nginx to talk to it's backend.
Have a good day,
Leen.
On 26-03-2023 22:23, VPN Технологии via Unbound-users wrote:
>
> Hello, I was trying to set up a DoT -> nginx -> unbound scheme but
> encountered some errors. Below is the configuration of the servers and
> the errors they output to the logs. What could be the problem?
>
>
> unbound: 1.17.1
>
> nginx: 1.22.1
>
> OS: 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
>
>
> nginx config:
>
> stream {
> upstream dns {
> zone dns 64k;
> server [::1]:853;
> }
>
> server {
> listen <ext_ipv4>:853 ssl;
> listen <ext_ipv6>:853 ssl;
> ssl_certificate fullchain.pem;
> ssl_certificate_key privkey.pem;
> proxy_pass dns;
> proxy_protocol on;
> }
> }
>
>
> unbound config:
>
> server:
> access-control: 0.0.0.0/0 allow
> access-control: ::/0 allow
> interface: ::1 at 853
> proxy-protocol-port: 853
>
>
> unbound log:
>
> error: proxy_protocol: could not parse PROXYv2 header
>
> nginx log:
>
> SSL_shutdown() failed (SSL: error:14094123:SSL
> routines:ssl3_read_bytes:application data after close notify) while
> proxying connection, client: <client_ipv4>, server: <server_ipv4>:853,
> upstream: "[::1]:853", bytes from/to client:0/0, bytes from/to
> upstream:0/0
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230328/41fde1a3/attachment.htm>
More information about the Unbound-users
mailing list