Opened 6 years ago

Closed 6 years ago

#1510 closed defect (worksforme)


Reported by: elvizlai@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.13.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.13.10
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --with-ld-opt=-Wl,-rpath,/usr/local/luajit/lib --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-threads --add-module=/root/nginx-1.13.10/ngx_http_google_filter_module --add-module=/root/nginx-1.13.10/ngx_http_substitutions_filter_module --add-module=/root/nginx-1.13.10/nginx-rtmp-module --add-module=/root/nginx-1.13.10/nginx-ts-module --with-openssl=/root/nginx-1.13.10/openssl-1.1.0g --add-module=/root/nginx-1.13.10/ngx_devel_kit-0.3.1rc1 --add-module=/root/nginx-1.13.10/lua-nginx-module-0.10.12rc2


I have a gRPC server behind nginx 1.13.10. The client report:

stream terminated by RST_STREAM with error code: PROTOCOL_ERROR

sometimes the code may: INTERNAL_ERROR

The server and the client works without nginx.

The client and the server using private cert.

nginx conf
upstream grpctun {

server weight=60;
server weight=30;
server weight=10;


server {

listen 1465 ssl http2;
ssl_certificate /home/web/ssl/grpc/grpctun.cert;
ssl_certificate_key /home/web/ssl/grpc/grpctun.key;

location / {

grpc_pass grpcs://grpctun;



Change History (2)

comment:1 by Maxim Dounin, 6 years ago

Try looking into the error log, it might have enough information to explain what goes on. If it doesn't, please provide a debug log.

Note well that "client ... use private cert" suggests that you are using SSL client certificate to authenticate the client on your gRPC servers. This approach cannot work through a proxy server, much like with normal SSL proxying: SSL certificates can authenticate connection endpoints, but not end-to-end communication through intermediate proxy servers. As such, you have to switch to a different authentication method.

comment:2 by Maxim Dounin, 6 years ago

Resolution: worksforme
Status: newclosed

Feedback timeout.

Note: See TracTickets for help on using tickets.