id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2234 NGINX 1.19.2 TCP RST/ACK TLSv1.0 Client Hello of Tor Relay ORPort Self-Test in TCP Stream Mode garycnew@… "There appears to be a bug with NGINX 1.19.2 immediately sending a TCP RST/ACK after receiving a TLSv1.0 Client Hello from a Tor Relay ORPort Self-Test in TCP Stream Mode with a Single TorNode in the NGINX Upstream Hash Configuration, but works fine with any Tor Relay Requests over TLSv1.2 or TLSv1.3. {{{ # cat nginx.conf user nobody; worker_processes auto; worker_rlimit_nofile 7168; events { worker_connections 3584; } stream { upstream application { hash $remote_addr consistent; server 192.168.0.21:9001 weight=4 max_fails=1 fail_timeout=10s; } server { listen xxx.xxx.xxx.xxx:443; proxy_pass application; } } }}} {{{ # cat torrc Nickname xxxxxxxxxxxxxxxxx ORPort xxx.xxx.xxx.xxx:443 NoListen ORPort 192.168.0.21:9001 NoAdvertise SocksPort 9050 SocksPort 192.168.0.21:9050 ControlPort 9051 ExitRelay 0 DirCache 0 MaxMemInQueues 192 MB GeoIPFile /opt/share/tor/geoip Log notice file /tmp/torlog Log notice syslog VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 192.168.0.21:9040 DNSPort 192.168.0.21:9053 RunAsDaemon 1 DataDirectory /tmp/tor/torrc.d/.tordb AvoidDiskWrites 1 User tor ContactInfo tor-operator@your-emailaddress-domain }}} Interestingly, an external TLS scan of the NGINX listening port shows that it's capable of TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. However, in the particular scenario previously described, NGINX immediately sends a TCP RST/ACK after receiving a TLSv1.0 Client Hello from a Tor Relay ORPort Self-Test, which has been validated with several packet traces and should be easily reproducible. I've confirmed that this issue is specific to NGINX by stopping NGINX and configuring a PortFoward in its place, which is successful. This is a blocker for High-Availability Tor Relay Implementation using NGINX. Respectfully, Gary P.S. I've confirmed that this is an issue with HAProxy's TCP Stream implementation, as well, but we'd prefer to use NGINX." defect closed minor nginx-module 1.19.x invalid NGINX TCP RST ACK TLSv1.0 Tor Relay ORPort Self-Test Stream Linux gnutech-wap01 2.6.36.4brcmarm #1 SMP PREEMPT Fri Aug 14 15:20:58 EDT 2020 armv7l ASUSWRT-Merlin "nginx version: nginx/1.19.2 (x86_64-pc-linux-gnu) built with OpenSSL 1.1.1g 21 Apr 2020 TLS SNI support enabled configure arguments: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/opt --exec-prefix=/opt --bindir=/opt/bin --sbindir=/opt/sbin --libexecdir=/opt/lib --sysconfdir=/opt/etc --datadir=/opt/share --localstatedir=/opt/var --mandir=/opt/man --infodir=/opt/info --disable-nls --crossbuild=Linux::arm --prefix=/opt --conf-path=/opt/etc/nginx/nginx.conf --with-http_ssl_module --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-naxsi/naxsi_src --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/lua-nginx --with-ipv6 --with-http_stub_status_module --with-http_flv_module --with-http_dav_module --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-dav-ext-module --with-http_auth_request_module --with-http_v2_module --with-http_realip_module --with-http_secure_link_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-headers-more --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-brotli --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-rtmp --add-module=/media/ware4/Entware.2020.09/build_dir/target-arm_cortex-a9_glibc-2.23_eabi/nginx-ssl/nginx-1.19.2/nginx-ts --error-log-path=/opt/var/log/nginx/error.log --pid-path=/opt/var/run/nginx.pid --lock-path=/opt/var/lock/nginx.lock --http-log-path=/opt/var/log/nginx/access.log --http-client-body-temp-path=/opt/var/lib/nginx/body --http-proxy-temp-path=/opt/var/lib/nginx/proxy --http-fastcgi-temp-path=/opt/var/lib/nginx/fastcgi --with-cc=arm-openwrt-linux-gnueabi-gcc --with-cc-opt='-I/media/ware4/Entware.2020.09/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include -I/media/ware4/Entware.2020.09/staging_dir/toolchain-arm_cortex-a9_gcc-8.4.0_glibc-2.23_eabi/include -O2 -pipe -mtune=cortex-a9 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=soft -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK' --with-ld-opt='-L/media/ware4/Entware.2020.09/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib -Wl,-rpath,/opt/lib -Wl,-rpath-link=/media/ware4/Entware.2020.09/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib -Wl,--dynamic-linker=/opt/lib/ld-linux.so.3 -L/media/ware4/Entware.2020.09/staging_dir/toolchain-arm_cortex-a9_gcc-8.4.0_glibc-2.23_eabi/lib -Wl,--gc-sections' --without-http_upstream_zone_module --modules-path=/opt/lib/nginx --http-uwsgi-temp-path=/opt/var/lib/nginx/uwsgi --http-scgi-temp-path=/opt/var/lib/nginx/scgi"