Tyk-Gateway-ce https setup fails with Error 502, Bad Gateway

rodgers · August 28, 2023, 3:21pm

I am trying to access tyk-gateway-ce over https, I have followed instructions and configured it for https in the tyk.conf file. I dont use any database, so I didn’t add the ssl configurations to analytics.conf. The problem I have is that the gateway always responds with error 502, bad gateway. It is deployed as an upstream server behind NGINX. NGINX is well configured, I tested its correctness using a trusted tool that verifies NGINX config correctness.

What do I have to do more than adding the following config block into the tyk.conf file?

"http_server_options": {
     "use_ssl": true,
     "server_name": "mydomain.tech",
     "enable_strict_routes": true,
     "ssl_insecure_skip_verify": true,
     "enable_websockets":true,
     "ssl_certificates": [
        {
           "domain_name": "*.mydomain.tech",
           "cert_file": "/etc/ssl/certs/mydomain_tech_chain.crt",
           "key_file": "/etc/ssl/certs/mydomain_tech.key"
        }
     ],
     "min_version": 770
   },

Following the logs in error.log reveals this detail:

SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: x.x.xx.xx, server: www.mydomain.tech, request: "GET /hello HTTP/1.1", upstream: "https://0.0.0.0:8080/hello", host: "www.mydomain.tech"

Olu · August 30, 2023, 8:34am

@rodgers Unsure whether this is related to Tyk. Googling shows a couple of related error with proxy or nginx

ssl - Nginx upstream to https host - ssl3_get_record:wrong version number - Stack Overflow
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number - Stack Overflow

Can you git the Tyk hello endpoint directly and share the output? If you get the liveness check then it may confirm an issue from nginx.

Hope this helps

rodgers · August 30, 2023, 8:58pm

I managed to fix it. There was no need to use https for the communication between NGiNX server and TYK, since they both reside on the same VM instance. To secure TYK gateway from outside access, I have set the value of liststen_address (in tyk.conf file) to 127.0.0.1 so that only NGiNX which is hosted on the same VM can access the gateway directly. https communication is between NGiNX and the outside clients.