Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Mac m1 Http works but https is broken?

See original GitHub issue

Hi,

on http is everything it fine. But on https i got this:

nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 17 (SIGCHLD) received from 99
nginx.1     | 2021/06/20 18:51:26 [alert] 30#30: worker process 99 exited on signal 11
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: start worker process 103
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 17 (SIGCHLD) received from 100
nginx.1     | 2021/06/20 18:51:26 [alert] 30#30: worker process 100 exited on signal 11
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: start worker process 104
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 17 (SIGCHLD) received from 101
nginx.1     | 2021/06/20 18:51:27 [alert] 30#30: worker process 101 exited on signal 11
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: start worker process 105
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 17 (SIGCHLD) received from 102
nginx.1     | 2021/06/20 18:51:27 [alert] 30#30: worker process 102 exited on signal 11
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: start worker process 106
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 17 (SIGCHLD) received from 103
nginx.1     | 2021/06/20 18:51:27 [alert] 30#30: worker process 103 exited on signal 11
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: start worker process 107
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 17 (SIGCHLD) received from 104
nginx.1     | 2021/06/20 18:51:28 [alert] 30#30: worker process 104 exited on signal 11
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: start worker process 108
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 17 (SIGCHLD) received from 105
nginx.1     | 2021/06/20 18:51:28 [alert] 30#30: worker process 105 exited on signal 11
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: start worker process 109
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 29 (SIGIO) received

here is the docker-compose.yml

version: '3'
services:
  #######################################
  # Delegate requests to container via
  # Nginx reverse proxy
  #######################################
  nginx-proxy:
    container_name: nginx-proxy
    image: jwilder/nginx-proxy
    build:
      context: docker/nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    networks:
      - default
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./docker/nginx-proxy/nginx.tmpl:/app/nginx.tmpl:ro
      - ./docker/nginx-proxy/certs/default.key:/etc/nginx/certs/default.key:ro
      - ./docker/nginx-proxy/certs/default.crt:/etc/nginx/certs/default.crt:ro

networks:
  default:
    external:
      name: kult-dev-network

Issue Analytics

State:
Created 2 years ago
Comments:16 (8 by maintainers)

Top GitHub Comments

3reactions

kblcukcommented, Jul 12, 2021

tl;dr – a possible work-around would be to use nginxproxy/nginx-proxy:alpine image instead of a debian-based one.

@buchdag sorry for the late reply, was busy week 😅

Yea, I thought about http1.1 as well, however forcing that doesn’t seem to change anything. And nginx debug mode doesn’t seem to log anything extra.

❯ curl -k --http1.1 --header 'Host: app.local' https://127.0.0.1 -vvv
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* <redacted cert info> 
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: app.local
> User-Agent: curl/7.64.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server
* Closing connection 0

Now the interesting bit is that this doesn’t manifest if I use alpine flavour of nginx image (i.o.w. nginx:alpine)! The output looks quite close to the “broken” one:

❯ curl -k --header 'Host: app.local' https://127.0.0.1 -vvv
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=mkcert development certificate; OU=alex@vackerflicka (Alexei Mikhailov)
*  start date: Jul  1 13:28:53 2021 GMT
*  expire date: Oct  1 13:28:53 2023 GMT
*  issuer: O=mkcert development CA; OU=alex@vackerflicka (Alexei Mikhailov); CN=mkcert alex@vackerflicka (Alexei Mikhailov)
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x12280d600)
> GET / HTTP/2
> Host: app.local
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx/1.21.0
< date: Mon, 12 Jul 2021 08:59:21 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 06 Jul 2021 14:59:17 GMT
< etag: "60e46fc5-264"
< accept-ranges: bytes
< strict-transport-security: max-age=31536000
<
<!DOCTYPE html>
<...redacted standard nginx page>
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0

While researching this I’ve stumbled upon a rather old, but very similar issue in nginx issue tracker, that claims the problem to happen due to -O2 optimisation flags.

Now, looking at the nginx -V output from docker image, it seems that it used -O2 during compilation, so that might be what causing this issue? And since alpine builds don’t use gcc, this doesn’t manifest?

❯ docker run nginx nginx -V
...
nginx version: nginx/1.21.1
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.21.1/debian/debuild-base/nginx-1.21.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Anyhoo to sum up, using alpine-based nginx-proxy build instead of debian one solves the issue for my local env, which is good enough for me 😅

Feel free to ping me if you want to test something!

2reactions

buchdagcommented, Jul 13, 2021

@kblcuk thanks for investigating this, seems there isn’t much we can do from this project end. 😒

At least the alpine based image is working. 👍