Skip to content

fix: expliciete SNI + HTTP/1.1 naar KVK upstream (v1.7.4)#43

Merged
rverk merged 2 commits intomainfrom
fix/gateway-ssl-sni-http1.1
Apr 20, 2026
Merged

fix: expliciete SNI + HTTP/1.1 naar KVK upstream (v1.7.4)#43
rverk merged 2 commits intomainfrom
fix/gateway-ssl-sni-http1.1

Conversation

@rverk
Copy link
Copy Markdown
Collaborator

@rverk rverk commented Apr 20, 2026

Summary

  • proxy_ssl_name \$kvk_upstream — expliciete SNI hostname in TLS handshake
  • proxy_http_version 1.1 + lege Connection header — moderne HTTP naar upstream
  • Version bump naar v1.7.4

Rob Verkuijlen and others added 2 commits April 20, 2026 15:39
Na v1.7.3 startte nginx wel, maar requests faalden met 502
"upstream prematurely closed connection while reading response header".

Root cause: sinds proxy_pass een variabele bevat ($kvk_upstream) leidt
Nginx de SNI hostname (proxy_ssl_name) niet meer betrouwbaar af uit
proxy_pass. KVK's load balancer ontving een TLS-handshake zonder (of
met verkeerde) SNI en sloot de connectie direct na ~60ms.

Fix:
- proxy_ssl_name $kvk_upstream  (expliciete SNI)
- proxy_http_version 1.1        (moderne HTTP naar upstream)
- proxy_set_header Connection "" (lege Connection zodat keep-alive werkt)

Diagnose bevestigd via 4-lagentest: host curl OK, Docker-network curl
OK, alleen via gateway 502 -> probleem zat 100% in nginx config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…1.7.4)

Vangt alle recente gateway-regressies af via een contract-test op de
gerenderde nginx.conf.template:

- proxy_pass gebruikt $kvk_upstream variabele (runtime DNS, v1.7.2)
- expliciete proxy_ssl_name voor SNI (v1.7.3)
- proxy_http_version 1.1 + lege Connection header
- docker resolver + envsubst placeholders fully resolved

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@rverk rverk merged commit 6d5a035 into main Apr 20, 2026
1 check passed
@rverk rverk deleted the fix/gateway-ssl-sni-http1.1 branch April 20, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant