Nginx TCP proxy with ssl_preread seemingly hangs connections

my network topology is somewhat convoluted, but it’s something like:
server A: service ← caddy
server B simply contains an nginx stream proxy using ssl_preread to route based on the target domain name (SNI) of the stream

server A is hidden under both premise NAT and CGNAT, so it has to be connected to server B by maintaining a wireguard tunnel (with a keepalive of 5 seconds), and server B routes connections to server A through it

connections reaching the service hosted in server A occasionally hang, with serverside errors such as “Connection from client lost before response was sent”

by attempting to replace caddy with nginx, and by testing with clients from unrelated networks, i could rule out server A’s proxy and the networks of incoming requests from being the root cause

there seem to be three places that could be the root cause of the issue:

  1. the nginx proxy
  2. the wireguard tunnel
  3. the general infrastructure connecting server A to server B

option 1 seems to be the easiest to debug for now, which is why i’m here
does anyone have any ideas?

1 Like