Nginx+Docker cache reverse proxy - "SSL alert number 40"

I want to setup a local reverse proxy server.

Local client ==> Local proxy == upstream ==> openai api

I’m using Nginx inside docker.

Here is the nginx.conf

events {
    worker_connections 10;

http {
    proxy_ssl_trusted_certificate /sni-cloudflaressl-com.pem;

    proxy_cache_path /server_cache levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;

    server {
        listen 80;

        location /v1/chat/completions {
            proxy_pass <apiserveraddresshere>;
            proxy_set_header Host <apiserverhosthere>;
            proxy_set_header Connection '';
            proxy_http_version 1.1;
            proxy_cache my_cache;
            proxy_cache_methods POST;
            proxy_cache_key "$request_method$request_uri$request_body";
            proxy_cache_valid 200 4d;
            proxy_cache_valid 404 1m;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
            proxy_cache_background_update on;
            proxy_cache_lock on;
            proxy_set_header Host $host;

        location /v1 {
            proxy_pass <apiserveraddresshere>;
            proxy_set_header Host $host;

But everytime the proxy forwards a request to the api, I get the following error:

[error] 29#29: *4 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream

I tried :

  • Explicity specifying the TLS protocols versions and the cyphers
  • Download and add the certificate of

None of this works so far.
Note that:

  • When forwarding requests to with that config, it will just work (no ssl errors).
  • Direct requests from my app the api works

The purpose of this is to save time and money on repetitive requests made by my app.

Help would be much appreciated !

I had the same problem and I have resolved it now. You can add a line to your nginx.conf file and then reload it to test if it works properly.

location /v1 {

proxy_ssl_server_name on;



Correct answer ! Thank you.
This is probably because they use cloudflare and cloudflare needs to know to what end-host you want to talk to during SSL handshake.

1 Like

Next issue I’m having is to solve the fact that the cache is not applied… $upstream_cache_status in log always returns “MISS” for some reasons…
Working on it.

Turned out the solution was to add
proxy_ignore_headers Cache-Control;
the api returns Cache-Control no-cache

1 Like

You should click on the heart at the end of the reply to let him know this and also let others know that this is a valuable answer.

1 Like