unbound DoH behind nginx

Emre_Eryilmaz · December 13, 2021, 8:53pm

Hi,

I'm trying to run unbound DoH behind nginx but I'm getting a 502 Bad Gateway error.
I have configured unbound with the option "http-notls-downstream: yes" for http(no-tls) connection between nginx and unbound.

Nginx configuration:

Hauke_Lampe · December 13, 2021, 10:04pm

proxy_http_version 1.1;

...

unbound: [16302:0] debug: http2: session_recv from 172.x.x.x failed, error: Received bad client magic byte string

So, I couldn't find error reason. What am I missing?

The problem might be that the nginx proxy talks HTTP 1.1 to unbound
while unbound expects encrypted HTTPS 2. Nginx doesn't support HTTP 2 on
the downstream connection.

I use dnsdist to proxy DOT and DOH, so I'm not quite sure how to
configure unbound to accept queries over plain HTTP instead of HTTPS/2.
A quick search in the manpage only turns up https-port:, no http-port:

Hauke.

Emre_Eryilmaz · December 14, 2021, 1:25am

The problem might be that the nginx proxy talks HTTP 1.1 to unbound
while unbound expects encrypted HTTPS 2. Nginx doesn't support HTTP 2 on
the downstream connection.

Thanks Hauke. You gave me the clue

Yes, nginx proxy module doesn't support http/2. I use nginx grpc_proxy
with unbound "http-notls-downstream: yes" option.

Solved.

A_Schulze · December 16, 2021, 8:57pm

Hello Emre,

can you share the relevant config for nginx and unbound?

Thanks
Andreas