nginx http代理状态400“400错误请求”与SSL客户端身份验证和Rails

Question

我在 ubuntu(v14) 上运行的 Rails(3.2)/unicorn 应用程序前面调试 nginx(v1.4)_ssl 客户端身份验证设置的问题非常困难。

AWS 路由 53 和 Ec2 中的 DNS 和服务器设置。我有两个子域

ca-uat.mydomain.com

uat.mydomain.com

uat.mydomain.com 是非客户端身份验证并且工作正常，我可以访问 Rails 应用程序。如果我设置了nginx

ssl_verify_client optinal

我还可以访问 Rails 应用程序。当我转身时

ssl_verify_client on

我明白了

nginx http代理状态400“400错误请求”

在错误调试日志中。它没有给出明确的错误说明为什么会发生这种情况。我正在使用 wget 来测试并通过证书，这似乎有效......

wget 'https://ca-uat.mydomain.com/client-auth/sso-req' --no-check-certificate --certificate=/etc/ssl/nginx/uat-client.crt --private-key=/etc/ssl/nginx/uat-client.key

在调试日志中，我看到客户端证书正在传递，甚至 nginx 通过以下方式标记了已验证的成功标头

`

proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
proxy_set_header X-SSL-ClIENT-S-DN   $ssl_client_s_dn;
proxy_set_header X-CLIENT-VERIFY $ssl_client_verify;

`

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-CLIENT-VERIFY: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "SUCCESS"

这是围绕 400 消息的日志片段，欢迎任何想法......注意我已经用 google 搜索并阅读了这可能是大 http 标头大小的 b/c，但是这里似乎不是这种情况，因为我添加了该配置，但没有帮助。 large_client_header_buffers 8 64k;

日志：

12014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req"

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream dummy handler

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D728

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req"

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream process header

2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C85480:4096

2014/08/19 21:40:07 [debug] 16978#0: *75 recv: fd:15 28 of 4096

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy status 400 "400 Bad Request"

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header done

2014/08/19 21:40:07 [debug] 16978#0: *75 xslt filter header

2014/08/19 21:40:07 [debug] 16978#0: *75 HTTP/1.1 400 Bad Request

Nginx 配置：

upstream unicorn {
  server unix:/home/deploy/mydomain/shared/sockets/unicorn.sock fail_timeout=0;
}

server {
        listen 443 ssl;
        server_name ca-uat.mydomain.com;
        error_log /var/log/nginx/ca-error.log debug;
        access_log /var/log/nginx/ca-access.log ;
        ssl on;
        ssl_certificate      /etc/ssl/mydomain/mydomain.com.combined.crt;
        ssl_certificate_key  /etc/ssl/mydomain/mydomain.pem;

        ssl_client_certificate /etc/ssl/mydomain/nginx/uat-ca.crt;
        ssl_verify_client optional;
        ssl_session_timeout 10m;


        location / {
                        proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
                        proxy_set_header X-SSL-ClIENT-S-DN   $ssl_client_s_dn;
                        proxy_set_header X-CLIENT-VERIFY $ssl_client_verify;
                        proxy_set_header  X-Real-IP       $remote_addr;
                        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header  X-Forwarded-Proto https;
                        proxy_set_header  Host $http_host;
                        proxy_redirect off;
                        proxy_pass http://unicorn;
       }

        error_page 500 502 503 504 /500.html;
        client_max_body_size 4G;
        large_client_header_buffers 8 64k;
        keepalive_timeout 10;
}

完整日志：

    2014/08/19 21:40:07 [debug] 16978#0: post event 0000000000C5D450

2014/08/19 21:40:07 [debug] 16978#0: delete posted event 0000000000C5D450

2014/08/19 21:40:07 [debug] 16978#0: accept on 0.0.0.0:443, ready: 0

2014/08/19 21:40:07 [debug] 16978#0: posix_memalign: 0000000000BF26E0:256 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 accept: 50.17.222.42 fd:14

2014/08/19 21:40:07 [debug] 16978#0: *75 event timer add: 14: 60000:1408484467625

2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 epoll add event: fd:14 op:1 ev:80000001

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 http check ssl handshake

2014/08/19 21:40:07 [debug] 16978#0: *75 http recv(): 1

2014/08/19 21:40:07 [debug] 16978#0: *75 https ssl handshake: 0x16

2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000BFBA10:256 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL server name: "ca-uat.caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_do_handshake: -1

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 2

2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL handshake handler: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 verify:1, error:0, depth:1, subject:"/C=US/ST=NY/L=NYC/O=CareDox/OU=CareDoxUAT/CN=CareDoxUAT/emailAddress=ben@caredox.com",issuer: "/C=US/ST=NY/L=NYC/O=CareDox/OU=CareDoxUAT/CN=CareDoxUAT/emailAddress=ben@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 verify:1, error:0, depth:0, subject:"/C=NY/ST=NY/L=NYC/O=CareDox/OU=CareDoxClientUAT/CN=CareDoxClientUAT/emailAddress=ben@caredox.com",issuer: "/C=US/ST=NY/L=NYC/O=CareDox/OU=CareDoxUAT/CN=CareDoxUAT/emailAddress=ben@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_do_handshake: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"

2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 http wait request handler

2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C95150:1024

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: -1

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 2

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C95150

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 http wait request handler

2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C95150:1024

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: 201

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: -1

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 2

2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C91B20:4096 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 http process request line

2014/08/19 21:40:07 [debug] 16978#0: *75 http request line: "GET /client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com HTTP/1.1"

2014/08/19 21:40:07 [debug] 16978#0: *75 http uri: "/client-auth/sso-req"

2014/08/19 21:40:07 [debug] 16978#0: *75 http args: "userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http exten: ""

2014/08/19 21:40:07 [debug] 16978#0: *75 http process request header line

2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "User-Agent: Wget/1.15 (linux-gnu)"

2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "Accept: */*"

2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "Host: ca-uat.caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "Connection: Keep-Alive"

2014/08/19 21:40:07 [debug] 16978#0: *75 http header done

2014/08/19 21:40:07 [debug] 16978#0: *75 event timer del: 14: 1408484467625

2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 rewrite phase: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 test location: "/client-auth/"

2014/08/19 21:40:07 [debug] 16978#0: *75 using configuration "/client-auth/"

2014/08/19 21:40:07 [debug] 16978#0: *75 http cl:-1 max:4294967296

2014/08/19 21:40:07 [debug] 16978#0: *75 rewrite phase: 3

2014/08/19 21:40:07 [debug] 16978#0: *75 post rewrite phase: 4

2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 5

2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 6

2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 7

2014/08/19 21:40:07 [debug] 16978#0: *75 access phase: 8

2014/08/19 21:40:07 [debug] 16978#0: *75 access phase: 9

2014/08/19 21:40:07 [debug] 16978#0: *75 post access phase: 10

2014/08/19 21:40:07 [debug] 16978#0: *75 try files phase: 11

2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C92B30:4096 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 http init upstream, client timer: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 epoll add event: fd:14 op:3 ev:80000005

2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C84470:4096 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Real-IP: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "50.17.222.42"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Forwarded-For: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "50.17.222.42"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Forwarded-Proto: https

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Real-IP: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "50.17.222.42"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-FORWARDED_PROTO: https

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-SSL-CLIENT-CERT: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "-----BEGIN CERTIFICATE-----

MIIDijCCAnICAQEwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlVTMQswCQYD

....

qhO0gNOKxEpF/vKAO3JQu7mRU6M3eWP8nsZG3H8vIXqKdWNjiXsZQQcpKbK8Og==

-----END CERTIFICATE-----"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-SSL-ClIENT-S-DN: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "/C=NY/ST=NY/L=NYC/O=CareDox/OU=CareDoxClientUAT/CN=CareDoxClientUAT/emailAddress=ben@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-CLIENT-VERIFY: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "SUCCESS"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "Host: "

2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "ca-uat.caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "Connection: close

"

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: ""

2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: ""

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header: "User-Agent: Wget/1.15 (linux-gnu)"

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header: "Accept: */*"

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header:

"GET /client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com HTTP/1.0

X-Real-IP: 50.17.222.42

X-Forwarded-For: 50.17.222.42

X-Forwarded-Proto: https

X-Real-IP: 50.17.222.42

X-FORWARDED_PROTO: https

X-SSL-CLIENT-CERT: -----BEGIN CERTIFICATE-----

MIIDijCCAnICAQEwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlVTMQswCQYD

....
qhO0gNOKxEpF/vKAO3JQu7mRU6M3eWP8nsZG3H8vIXqKdWNjiXsZQQcpKbK8Og==

-----END CERTIFICATE-----

X-SSL-ClIENT-S-DN: /C=NY/ST=NY/L=NYC/O=CareDox/OU=CareDoxClientUAT/CN=CareDoxClientUAT/emailAddress=ben@caredox.com

X-CLIENT-VERIFY: SUCCESS

Host: ca-uat.caredox.com

Connection: close

User-Agent: Wget/1.15 (linux-gnu)

Accept: */*



"

2014/08/19 21:40:07 [debug] 16978#0: *75 http cleanup add: 0000000000C84C60

2014/08/19 21:40:07 [debug] 16978#0: *75 get rr peer, try: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 socket 15

2014/08/19 21:40:07 [debug] 16978#0: *75 epoll add connection: fd:15 ev:80000005

2014/08/19 21:40:07 [debug] 16978#0: *75 connect to unix:/home/deploy/caredox/shared/sockets/unicorn.sock, fd:15 #76

2014/08/19 21:40:07 [debug] 16978#0: *75 connected

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream connect: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C010B0:128 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream send request

2014/08/19 21:40:07 [debug] 16978#0: *75 chain writer buf fl:1 s:1801

2014/08/19 21:40:07 [debug] 16978#0: *75 chain writer in: 0000000000C93B20

2014/08/19 21:40:07 [debug] 16978#0: *75 writev: 1801

2014/08/19 21:40:07 [debug] 16978#0: *75 chain writer out: 0000000000000000

2014/08/19 21:40:07 [debug] 16978#0: *75 event timer add: 15: 60000:1408484467633

2014/08/19 21:40:07 [debug] 16978#0: *75 http finalize request: -4, "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com" a:1, c:2

2014/08/19 21:40:07 [debug] 16978#0: *75 http request count:2 blk:0

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C70D98

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D728

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C70F38

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C70F38

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream dummy handler

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D728

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream process header

2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C85480:4096

2014/08/19 21:40:07 [debug] 16978#0: *75 recv: fd:15 28 of 4096

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy status 400 "400 Bad Request"

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header done

2014/08/19 21:40:07 [debug] 16978#0: *75 xslt filter header

2014/08/19 21:40:07 [debug] 16978#0: *75 HTTP/1.1 400 Bad Request

Server: nginx/1.4.6 (Ubuntu)

Date: Tue, 19 Aug 2014 21:40:07 GMT

Transfer-Encoding: chunked

Connection: keep-alive



2014/08/19 21:40:07 [debug] 16978#0: *75 write new buf t:1 f:0 0000000000C84E98, pos 0000000000C84E98, size: 147 file: 0, size: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter: l:0 f:0 s:147

2014/08/19 21:40:07 [debug] 16978#0: *75 http cacheable: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy filter init s:400 h:0 c:0 l:-1

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream process upstream

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe read upstream: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe preread: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 readv: 1:4068

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe recv chain: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe buf free s:0 t:1 f:0 0000000000C85480, pos 0000000000C8549C, size: 0 file: 0, size: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe length: -1

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe write downstream: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 pipe write downstream done

2014/08/19 21:40:07 [debug] 16978#0: *75 event timer: 15, old: 1408484467633, new: 1408484467634

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream exit: 0000000000000000

2014/08/19 21:40:07 [debug] 16978#0: *75 finalize http upstream request: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 finalize http proxy request

2014/08/19 21:40:07 [debug] 16978#0: *75 free rr peer 1 0

2014/08/19 21:40:07 [debug] 16978#0: *75 close http upstream connection: 15

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C010B0, unused: 48

2014/08/19 21:40:07 [debug] 16978#0: *75 event timer del: 15: 1408484467633

2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream temp fd: -1

2014/08/19 21:40:07 [debug] 16978#0: *75 http output filter "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http copy filter: "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 image filter

2014/08/19 21:40:07 [debug] 16978#0: *75 xslt filter body

2014/08/19 21:40:07 [debug] 16978#0: *75 http postpone filter "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com" 00007FFF2CDD4C10

2014/08/19 21:40:07 [debug] 16978#0: *75 http chunk: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 write old buf t:1 f:0 0000000000C84E98, pos 0000000000C84E98, size: 147 file: 0, size: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 write new buf t:0 f:0 0000000000000000, pos 00000000004A165A, size: 5 file: 0, size: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter: l:1 f:0 s:152

2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter limit 0

2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C95560:256 @16

2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C972F0:16384

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL buf copy: 147

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL buf copy: 5

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL to write: 152

2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_write: 152

2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter 0000000000000000

2014/08/19 21:40:07 [debug] 16978#0: *75 http copy filter: 0 "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"

2014/08/19 21:40:07 [debug] 16978#0: *75 http finalize request: 0, "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com" a:1, c:1

2014/08/19 21:40:07 [debug] 16978#0: *75 set http keepalive handler

2014/08/19 21:40:07 [debug] 16978#0: *75 http close request

2014/08/19 21:40:07 [debug] 16978#0: *75 http log handler

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C85480

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C91B20, unused: 8

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C92B30, unused: 0

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C84470, unused: 550

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C95150

2014/08/19 21:40:07 [debug] 16978#0: *75 hc free: 0000000000000000 0

2014/08/19 21:40:07 [debug] 16978#0: *75 hc busy: 0000000000000000 0

2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C972F0

2014/08/19 21:40:07 [debug] 16978#0: *75 tcp_nodelay

2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 1

2014/08/19 21:40:07 [debug] 16978#0: *75 event timer add: 14: 10000:1408484417634

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C70D98

2014/08/19 21:40:07 [debug] 16978#0: *75 http empty handler

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C70D98

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C70D98

2014/08/19 21:40:07 [debug] 16978#0: *75 http empty handler

2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588

2014/08/19 21:40:07 [debug] 16978#0: *75 http keepalive handler

2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C95150:1024

2014/08/19 21:40:07 [deb

    

Answer 1

我能够解决自己的问题，想发布此内容，希望对其他人有所帮助。这是一个令人讨厌的问题，因为这是一个复合问题，看起来是两个独立的问题。

1. 将完整的证书上游传递给 Rails 似乎会导致 400 响应。这与大型 http 标头的情况一致，尽管我似乎无法通过增加来避免它。不确定 Rails 应用程序/独角兽是否需要调整。我最终在应用程序级别不需要该标头。所以在nginx配置中注释掉这个

   proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert；

2. 该环境托管在弹性负载均衡器 (ELB) 后面的 AWS Ec2 上。这是另一个问题，因为它不是 TCP ELB，而是常规 HTTP 级别的 ELB，因此它在 ELB 处终止 SSL，从而阻止有效的双向 SSL（客户端身份验证）。我最终配置了一个单独的 EC2 实例，只是为了支持客户端身份验证令牌发布。最终，我将在其前面放置一个 TCP 级别的 ELB 和第二个实例，但如果这只是该服务器的工作，直到大规模之前，则没有必要。