id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1270 TCP RST with SSL and HTTP Connection:close header elukey@… "Hi everybody, we use Nginx to terminate TLS in front of a wide range of systems, but the biggest use cases are Varnish and Apache httpd. While running some tcpdumps on one application server running Nginx in front of Apache and HHVM I noticed regular RST packets returned by Nginx to the client when the request contained ""Connection: close"" and https was used. I investigated the issue in https://phabricator.wikimedia.org/T163674 and came up with the suspicion that Nginx is eager to close the TCP connection after the HTTP request is completed, not leaving enough time for SSL to shutdown cleanly (https://phabricator.wikimedia.org/T163674#3257675 contains debug error logs to compare). While reading https://wiki.openssl.org/index.php/Manual:SSL_shutdown(3)#NOTES it seems that this behavior is allowed but I am wondering if it is intended for Nginx to return a RST or not. In the former case it would be really nice to have a note in the docs advertising this ""feature"" so people will know it. Last but not the least, this issue is not causing any errors on the client side, the RST seems to be handled fine. The only side effect is polluting TCP RST metrics and confuse a bit admins while debugging :) Thanks in advance! Luca" defect closed minor nginx-core 1.11.x wontfix Linux mw2146 4.4.0-2-amd64 #1 SMP Debian 4.4.2-3+wmf6 (2016-10-18) x86_64 GNU/Linux "nginx version: nginx/1.11.6 built with OpenSSL 1.1.0b 26 Sep 2016 (running with OpenSSL 1.1.0e 16 Feb 2017) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-dav-ext-module --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-echo --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-upstream-fair --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/ngx_http_substitutions_filter_module"