addons: Cloudflare not working after updating to 3.1.3

Describe the issue you are experiencing

Cloudflare started reporting SSL protocol errors after updating to 3.1.5. The change seems to have been introduced in 3.1.3.

This seems to be related to #2553 and how the new nginx handles SNIs (I think?). I’m getting an SSL error when trying to connect to nginx with an invalid (different to the one specified in the addon configuration) domain name.

* Closing connection 0
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name

The domain set in Cloudflare is set correctly, no changes have been made to the configuration, justed updated the addon.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

NGINX Home Assistant SSL proxy

What is the version of the add-on?

3.1.5

Steps to reproduce the issue

Updated to 3.1.5 - no configuration change.

Anything in the Supervisor logs that might be useful for us?

No

Anything in the add-on logs that might be useful for us?

No

Additional information

The addon exposes port 443, but the NATed external port is different.

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 19 (8 by maintainers)

Most upvoted comments

I’ve managed to resolve the issue by changing Cloudflare’s SSL mode to Full. Seems like when using Flexible CF does not send the SNI in the handshake message (I only noticed this with packet capture). Using anything other then Full (strict) meant that I didn’t notice the issue until this change.

EDIT: This seems like a bug in cloudflare, since the docs state:

Flexible mode is only supported for HTTPS connections on port 443 (default port). Other ports using HTTPS will fall back to Full mode.

So my change from flexible to full shouldn’t be affecting the behavior, since I’m not using a default port anyway.

RouNNdeL on Jun 25, 2022