nginx 502 “Bad Gateway” errors when set as a proxy over SSL/HTTPS

By Matt Gadient

A little experimentation has been showing that for my usage, nginx makes for a great caching proxy. So good that I wondered what might happen if I started chaining the servers together (proxy A —> proxy B —> nginx server C, all over HTTPS/SSL).

Answer was… 502 Bad Gateway errors.

I’d set it up and then used Integrity by PeacockMedia (free/donationware on the Mac App Store) to test out the site. If you haven’t heard of it before, Integrity is something of a broken-link-checker for macOS – quick and dead easy to use. Anyway… it immediately threw up a bunch of 502 Errors for the HTTPS versions of the site.

I checked it out by trying to manually load up a page over HTTPS in a web browser, and sure enough, 502 error.

 

——

 

Turned out, my problem was that I had just changed from a simple proxy_pass https://123.45.67.89; in the location to the whole “upstream backend” thing, with something like this:

upstream backend {
     server 123.45.67.89;
     server 12.34.56.789 backup;
}
server {
     listen 443;
     server_name example.com;
     location / {
         proxy_pass https://backend;
     }
}

That doesn’t quite work, and the reason turned out to be that you need to specify the port in the “upstream backend” section if it isn’t port 80. It’s not enough that the proxy_pass line started with https – I also had to explicitly tell it to use port 443.

So the working version was of course as follows:

upstream backend-ssl {
     server 123.45.67.89:443;
     server 12.34.56.789:443 backup;
}
server {
     listen 443;
     server_name example.com;
     location / {
         proxy_pass https://backend-ssl;
     }
}

That’s not to say it’s the only cause of 502 errors when dealing with nginx’s caching proxy (timeouts are another common cause from what I understand). And if you’ve recently upgraded PHP, you may want to check out PHP 7.0 upgrade and “502 Bad Gateway”.

But if you’ve just implemented the upstream bit, it’s worth checking to see if you have the same issue.

If not, it’s worth taking a peek at your error log to help narrow things down. It’s usually found in your logs directory: if using Ubuntu /var/log/nginx/error.log is where it’s often at.

6 Comments | Leave a Comment

  1. ishwar on October 1, 2014 - click here to reply
    thank you, I had the exact problem.
  2. john on July 11, 2016 - click here to reply
    You just saved my life
  3. Faruk on November 20, 2019 - click here to reply
    thank you very much! it saved me a lot of time
  4. Jason on April 13, 2020 - click here to reply
    Thanks very much! Really helpful
  5. dinesh kannan on September 1, 2020 - click here to reply
    it works man , thanks
  6. Yu-Cheng,Chen on November 1, 2021 - click here to reply
    I spent a lot of time trying other methods, but none of them worked. thank you very much!

Leave a Comment

You can use an alias and fake email. However, if you choose to use a real email, "gravatars" are supported. You can check the privacy policy for more details.