Mar*_*náš 3 nginx proxy https apache-2.2
我正在配置将用作反向代理的新 Nginx 服务器。我们有运行 Apache 的旧 Debian 服务器。在这个 apache 服务器上,只有 HTTPS 访问的站点我想隐藏在代理后面。
从代理到上游 Apache 的连接必须通过 HTTPS(服务器位于不同的位置,Apache 只允许 HTTPS 访问)。
我的问题是从 Nginx 到 Apache 的连接失败。从浏览器到上游通过 HTTPS 的正常连接没有问题。从同一代理到 Nginx 上游的连接有效。当 Nginx 尝试连接到上游 Apache 连接失败并重新协商握手失败时
来自代理 Nginx 的日志(调试级别)仅表示:
2016/04/07 15:51:08 [error] 5855#0: *1 upstream prematurely closed connection while reading response header from upstream, client: 94.113.97.9, server: procrastination.com, request: "GET / HTTP/1.1", upstream: "https://77.240.191.234:443/", host: "procrastination.com"
从上游 Apache 登录:
[Thu Apr 07 15:36:48 2016] [info] Initial (No.1) HTTPS request received for child 35 (server procrastination.com:443)
[Thu Apr 07 15:36:48 2016] [debug] ssl_engine_kernel.c(421): [client 83.167.254.21] Reconfigured cipher suite will force renegotiation
[Thu Apr 07 15:36:48 2016] [info] [client 83.167.254.21] Requesting connection re-negotiation
[Thu Apr 07 15:36:48 2016] [debug] ssl_engine_kernel.c(764): [client 83.167.254.21] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Apr 07 15:36:48 2016] [info] [client 83.167.254.21] Awaiting re-negotiation handshake
[Thu Apr 07 15:36:58 2016] [error] [client 83.167.254.21] Re-negotiation handshake failed: Not accepted by client!?
我在代理上的 Nginx 站点配置:
server {
listen 80;
listen 443 ssl;
server_name procrastination.com *.procrastination.com;
###
# SSL
###
ssl on;
ssl_certificate /etc/ssl/localcerts/procrastination.com/fullchain.pem;
ssl_certificate_key /etc/ssl/localcerts/procrastination.com/privkey.pem;
##
# Logging Settings
##
access_log /var/log/nginx/procrastination_proxy-access.log;
error_log /var/log/nginx/procrastination_proxy-error.log debug;
include /etc/nginx/snippets/common;
include /etc/nginx/snippets/proxy_params;
location / {
proxy_pass https://brigita_https;
proxy_ssl_name $host;
}
}
代理上 nginx.conf 的 SSL 相关部分:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
上游的 Apache 站点配置:
<VirtualHost 77.240.191.234:80>
ServerName procrastination.com
ServerAlias *.procrastination.com
DocumentRoot /var/www/procrastination-production/build/current/www
php_value newrelic.appname /var/www/procrastination-production/build/current/www
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L]
</VirtualHost>
<VirtualHost 77.240.191.234:443>
ServerName procrastination.com
ServerAlias *.procrastination.com
DocumentRoot /var/www/procrastination-production/build/current/www
php_value newrelic.appname /var/www/procrastination-production/build/current/www
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/ssl_procrastination_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl_procrastination_com.key
RewriteCond %{HTTP_HOST} !^www\..*$
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L]
</VirtualHost>
其他 Apache 配置值为默认值。
知道可能是什么原因或在哪里寻找更多诊断数据吗?
Mar*_*náš 10
解决了!
问题出在 Apache 上游的 SNI 中。Nginx 没有传递正确的参数,Apache 向他发送了错误的证书。
你需要设置 proxy_ssl_server_name on在 Nginx 配置中。
只是改变:
location / {
proxy_pass https://brigita_https;
proxy_ssl_name $host;
}
到:
location / {
proxy_pass https://brigita_https;
proxy_ssl_name $host;
proxy_ssl_server_name on;
}
| 归档时间: |
|
| 查看次数: |
3959 次 |
| 最近记录: |