Media proxy cache to TLS 1.3 only server causes 502 Bad Gateway

[futzle]

Issue

A remote server has been configured to reject anything older than TLS 1.2. When viewing media (also user avatar) of that user, the image is not fetched from the remote server.

Fetching the URL of the image directly reveals a 502 error, and this appears in the nginx logs:

2024/01/22 03:28:25 [error] 16173#16173: *8880 SSL_do_handshake() failed (SSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 127.0.0.1, server: _, request: "GET /proxy/identity_icon/272092855970203730/dcbe4399b4.jpg HTTP/1.0", upstream: "https://xxx.xxx.xxx.xxx:443/system/accounts/avatars/110/993/047/569/445/068/original/0287dcf030a0aa4d.jpg", host: "fedi.vision", referrer: "https://fedi.vision/admin/identities/"

Possible cause

It seems that nginx forwards proxied requests using TLS 1.2 by default.

Possible fix

Add to /etc/nginx/conf.d/default.conf[.tpl] the proxy_ssl_protocols parameter:

    location ~* ^/(media|proxy) {
        # ...

	# Proxy over TLS 1.3 and 1.2
	proxy_ssl_protocols TLSv1.2 TLSv1.3;
    }

After restarting the nginx service, the image fetches.

Version

Takahē 0.10.1

Disclaimer: my installation is non-standard and been de-Dockerized. I am also not very knowledgeable about nginx so I can't say if this breaks something else.

Edit: multiple typos

[AstraLuma]

Given that the blessed configuration (use the published container) does not handle TLS termination, it is not clear this problem is applicable.

[futzle]

TLS termination

It's not about TLS termination for incoming requests, it's about making outgoing TLS requests for proxied media hosted on a third-party server. Pretty sure that the Docker container's copy of nginx still does that:

takahe/docker/nginx.conf.d/default.conf.tpl

Line 48 in 7c34ac7

location ~* ^/(media|proxy) {

[AstraLuma]

OH I see, ok.

Yeah, that's a problem