这是一个创建于 1897 天前的主题,其中的信息可能已经有所发展或是发生改变。
如题,新搭建的服务器,上面要用 NGINX 做反向代理,然后之前的配置不知道为什么不生效,提示 ERR_SSL_PROTOCOL_ERROR,看日志也是不走 SSL,折腾了一圈也不行,后来又新建了一台虚拟机,用 yum 安装 nginx 和 openssl,
信息如下:
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
然后配置如下:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# Settings for a TLS enabled server.
#
server {
listen 443 ssl http2 default_server;
listen 80;
listen [::]:443 ssl http2 default_server;
keepalive_timeout 70;
server_name www.xxx.com xxx.top;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/xxx.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/xxx.com/privkey.pem";
ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
client_max_body_size 100m;
# index index.php;
location / {
proxy_pass http://192.168.20.197;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
chunked_transfer_encoding off;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
怎么样都不行,然后不得已,加了个 ssl on,结果虽然检查说已经过时了,但是反而能用了。
这是什么鬼?昨天搞到今天实在是抓狂了,谷歌翻了个遍也没找到原因,哪位大哥来给指点下?
信息如下:
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
然后配置如下:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
# Settings for a TLS enabled server.
#
server {
listen 443 ssl http2 default_server;
listen 80;
listen [::]:443 ssl http2 default_server;
keepalive_timeout 70;
server_name www.xxx.com xxx.top;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/xxx.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/xxx.com/privkey.pem";
ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
client_max_body_size 100m;
# index index.php;
location / {
proxy_pass http://192.168.20.197;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
chunked_transfer_encoding off;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
怎么样都不行,然后不得已,加了个 ssl on,结果虽然检查说已经过时了,但是反而能用了。
这是什么鬼?昨天搞到今天实在是抓狂了,谷歌翻了个遍也没找到原因,哪位大哥来给指点下?
 | 1 jjeyz 2020-10-14 10:45:44 +08:00 via Android “listen 怎么都不可以”报错信息是什么? |
 | 2 fangMu 2020-10-14 13:38:45 +08:00 三个 listen 改成下面试试 listen 80; listen 443 ssl; |
 | 3 masker 2020-10-14 13:59:30 +08:00 via Android 挺难的,贴错误日志 |
 | 4 seers 2020-10-14 14:16:38 +08:00 你在 80 端口加个 301 跳转 |
 | 5 ssbg2 OP @jjeyz 看 access_log 是这样: 192.168.20.252 - - [14/Oct/2020:10:55:39 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x89%\x07\xE2\xA9\x05\x8B\xF5\x98\x1A\xBCz\xEDs\x13T\x07m\xF1\xF17\xA5\xBB\x1C\xECo0G\x05G\x94q h\xA8\xDF>U^\xD0\x86\xBA\xA8\xF6\x022\x84x\xCBc1\x19\x07\xCB\x9B\xA5\xC5\x22OE\xD0-.\xF9l\x00\x22" 400 157 "-" "-" "-" 192.168.20.252 - - [14/Oct/2020:10:55:39 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x8E\x04\x12\xD2\x9D\x5Cmjz\xF6u\x85\x03\xCD\xB1\xC6\xF8#\xA5\xE4d\xD24\x91\x05t\xC9\x03\xEE\xD9/\xE8 h\xA8\xDF>U^\xD0\x86\xBA\xA8\xF6\x022\x84x\xCBc1\x19\x07\xCB\x9B\xA5\xC5\x22OE\xD0-.\xF9l\x00\x22\x8A\x8A\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-" "-" 192.168.20.252 - - [14/Oct/2020:10:55:40 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x15jBHy{\x03" 400 157 "-" "-" "-" 看错误信息是这样: 2020/10/14 01:13:08 [debug] 28989#0: epoll: fd:14 ev:2001 d:00007F1D66D6F2E1 2020/10/14 01:13:08 [debug] 28989#0: *103 http check ssl handshake 2020/10/14 01:13:08 [debug] 28989#0: *103 http recv(): 0 2020/10/14 01:13:08 [info] 28989#0: *103 client closed connection while SSL handshaking, client: 192.168.20.252, server: 0.0.0.0:80 2020/10/14 01:13:08 [debug] 28989#0: *103 close http connection: 14 2020/10/14 01:13:08 [debug] 28989#0: *103 event timer del: 14: 28423684 2020/10/14 01:13:08 [debug] 28989#0: *103 reusable connection: 0 2020/10/14 01:13:08 [debug] 28989#0: *103 free: 000055CC9FDA3450, unused: 232 2020/10/14 01:13:08 [debug] 28989#0: timer delta: 0 2020/10/14 01:13:08 [debug] 28989#0: worker cycle 2020/10/14 01:13:08 [debug] 28989#0: epoll timer: -1 2020/10/14 01:14:01 [debug] 28987#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28988#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28991#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28990#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28984#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28985#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28987#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28988#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28983#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28991#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28990#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28992#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28984#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28985#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28983#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28992#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28986#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100 2020/10/14 01:14:01 [debug] 28991#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28990#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28986#0: accept on 0.0.0.0:80, ready: 0 2020/10/14 01:14:01 [debug] 28984#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28983#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28987#0: posix_memalign: 000055CC9FDA3450:512 @16 2020/10/14 01:14:01 [debug] 28988#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28991#0: timer delta: 53074 2020/10/14 01:14:01 [debug] 28985#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28992#0: accept() not ready (11: Resource temporarily unavailable) 2020/10/14 01:14:01 [debug] 28990#0: timer delta: 53074 2020/10/14 01:14:01 [debug] 28984#0: timer delta: 53074 2020/10/14 01:14:01 [debug] 28983#0: timer delta: 53074 2020/10/14 01:14:01 [debug] 28987#0: *104 accept: 192.168.20.252:25694 fd:20 2020/10/14 01:14:01 [debug] 28986#0: accept() not ready (11: Resource temporarily unavailable) |
Select Language