5 hours ago
I doing some checks and neither understand with this change. Yes, I have Pihole, but i do curl over http service, there is no problem. It is happening when I do it with https inside docker, outside docker there is no issue.
Inside nginx server (jellyfin subnet in docker)for instance:
In pihole or unifi docker service:
My nginx configuration is this:
Code:
$ curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0* Trying 185.93.2.251:443...
* Connected to image.tmdb.org (185.93.2.251) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3968 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=image.tmdb.org
* start date: Oct 6 12:45:51 2024 GMT
* expire date: Jan 4 12:45:50 2025 GMT
* subjectAltName: host "image.tmdb.org" matched cert's "image.tmdb.org"
* issuer: C=US; O=Let's Encrypt; CN=R10
* SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg]
* h2h3 [:scheme: https]
* h2h3 [:authority: image.tmdb.org]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x563b9a644ce0)
} [5 bytes data]
> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/2
> Host: image.tmdb.org
> user-agent: curl/7.88.1
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 200
< date: Fri, 25 Oct 2024 21:27:11 GMT
< content-type: image/jpeg
< content-length: 50330
< server: BunnyCDN-FR1-1186
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: ES
< cache-control: public, max-age=31919000
< etag: "6272f494-c49a"
< last-modified: Wed, 04 May 2022 21:48:04 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 266
< perma-cache: HIT
< cdn-proxyver: 1.04
< cdn-requestpullcode: 200
< cdn-cachedat: 10/09/2024 20:20:48
< cdn-edgestorageid: 1187
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 91a0f5895fc08e6629232bcf7fd5e410
< cdn-cache: HIT
< accept-ranges: bytes
<
{ [15736 bytes data]
100 50330 100 50330 0 0 18362 0 0:00:02 0:00:02 --:--:-- 18361
* Connection #0 to host image.tmdb.org left intact
Inside nginx server (jellyfin subnet in docker)for instance:
Code:
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0* Trying 143.244.56.49:443...
* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2038 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=valid.domain.com
* start date: Sep 19 19:38:02 2024 GMT
* expire date: Dec 18 19:38:01 2024 GMT
* subjectAltName does not match image.tmdb.org
* SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
* Closing connection 0
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* old SSL session ID is stale, removing
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (60) SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
In pihole or unifi docker service:
Code:
$ docker exec -it pihole sh
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0* Trying 143.244.56.49:443...
* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3968 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=image.tmdb.org
* start date: Oct 6 12:45:51 2024 GMT
* expire date: Jan 4 12:45:50 2025 GMT
* subjectAltName: host "image.tmdb.org" matched cert's "image.tmdb.org"
* issuer: C=US; O=Let's Encrypt; CN=R10
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x56440d1a6620)
} [5 bytes data]
> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/2
> Host: image.tmdb.org
> user-agent: curl/7.74.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 200
< date: Fri, 25 Oct 2024 21:30:58 GMT
< content-type: image/jpeg
< content-length: 50330
< server: BunnyCDN-FR1-1072
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: ES
< cache-control: public, max-age=31919000
< etag: "6272f494-c49a"
< last-modified: Wed, 04 May 2022 21:48:04 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 266
< perma-cache: HIT
< cdn-proxyver: 1.04
< cdn-requestpullcode: 200
< cdn-cachedat: 10/09/2024 20:20:48
< cdn-edgestorageid: 1187
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 66a9348c1fcf42551aafee7263ce1c6b
< cdn-cache: HIT
< accept-ranges: bytes
<
{ [15754 bytes data]
100 50330 100 50330 0 0 15703 0 0:00:03 0:00:03 --:--:-- 15703
* Connection #0 to host image.tmdb.org left intact
My nginx configuration is this:
Code:
$ cat nginx.conf
user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Configuración HTTP para renovar los certificados con Certbot
server {
listen 80;
server_name valid.domain.com www.valid.domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Excepción para Certbot (no redirigir)
location /.well-known/acme-challenge/ {
root /var/www/certbot; # Ruta donde Certbot almacena los archivos de desafío
}
# Redirigir todas las demás peticiones al puerto 8444 (HTTPS)
location / {
return 301 https://$host:443$request_uri;
}
# location / {
# root /usr/share/nginx/html;
# index index.html index.htm;
# }
}
# Configuración HTTPS
server {
listen 443 ssl; # Escucha en el puerto 443 con SSL habilitado
server_name valid.domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
ssl_certificate /etc/letsencrypt/live/valid.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/valid.domain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
if ($host != "valid.domain.com") {
return 444; # Cerrar conexión si el host no coincide
}
proxy_pass http://jellyfin:8096; # Redirigir las peticiones a Jellyfin
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
# Nueva configuración para Filebrowser
location /filebrowser/ {
if ($host != "valid.domain.com") {
return 444; # Cerrar conexión si el host no coincide
}
proxy_pass http://filebrowser:80/filebrowser;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
rewrite ^/filebrowser(/.*)$ $1 break; # Reescribe la URL para eliminar "/filebrowser"
client_max_body_size 10G; # Aumenta el límite a 100 MB
}
}
}