V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
hgjian
V2EX  ›  NGINX

请求帮助解决 Nginx 反代 google 在添加 upstream 的 SSL 握手失败问题,谢谢帮助!

  •  
  •   hgjian · 2017-02-22 14:38:14 +08:00 · 3040 次点击
    这是一个创建于 2815 天前的主题,其中的信息可能已经有所发展或是发生改变。
    配置文件如下:
    worker_processes auto;
    pid /run/nginx.pid;

    events {
    worker_connections 768;
    multi_accept on;
    use epoll;
    }

    http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    sendfile on;
    autoindex on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 120;
    types_hash_max_size 2048;
    gzip on;
    gzip_disable "msie6";
    server_tokens off;
    proxy_cache_path /var/www/cache/ levels=1:2 keys_zone=one:100m inactive=1d max_size=1g;
    proxy_cache_key $host$request_uri;


    # include /etc/nginx/conf.d/*.conf;
    # include /etc/nginx/sites-enabled/*;
    # 导入 sever 配置

    # **************************************************
    upstream google{
    server 172.217.6.99 max_fails=3 fail_timeout=10s;
    server 172.217.0.3 max_fails=3 fail_timeout=10s;
    server 172.217.1.35 max_fails=3 fail_timeout=10s;
    }
    # **************************************************

    server {
    listen 80;
    listen 443 ssl;
    server_name example.com www.example.com;
    ssl_certificate /etc/nginx/example.com/fullchain1.pem;
    ssl_certificate_key /etc/nginx/example.com/privkey1.pem;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
    {
    return 403;
    }
    if ( $host != "example.com" ) {
    return 403;
    }
    if ($scheme = http) {
    rewrite ^/(.*) https://$server_name/$1 permanent;
    }

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    location / {

    access_log /etc/nginx/log.log;
    error_log /etc/nginx/error.log error;
    proxy_cache one;
    proxy_cache_valid 200 302 2h;
    proxy_cache_valid 404 1h;
    proxy_buffering off;

    proxy_pass https://google;

    proxy_redirect https://www.google.com/ /;
    proxy_redirect off;

    proxy_set_header Host $proxy_host;

    proxy_cookie_domain google.com example.com;

    proxy_set_header Accept-Encoding "";
    proxy_set_header referer "https://$proxy_host$request_uri";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header User-Agent $http_user_agent;
    proxy_set_header Accept-Language "zh-CN";
    proxy_set_header Cookie "PREF=ID=047818f19f6de346:U=0f622f33dd8549d11:FF=25:LD=zh-CN:NW=1:TM=1325238577:LM=1332342444:GM=5:SG=1:S=rE01SyJh2w1IQ-Maw";
    sub_filter_types text/css text/xml text/javascript application/json application/javascript;
    sub_filter www.google.com.hk example.com;
    sub_filter_once off;

    } # 结束 location
    location /textinputassistant {
    proxy_pass https://www.google.com/textinputassistant/;
    proxy_set_header Accept-Encoding "";
    } # 结束 location
    location /_ {
    proxy_pass https://apis.google.com/_/;
    proxy_set_header Accept-Encoding "";
    } # 结束 location
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    root html;
    } # 结束 location
    } # 结束 server
    } # 结束 http

    测试以后发现不能访问 google ,出现 如下的错误日志:
    13143#13143: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream

    本人英语不好, google 发现好多英文说明,可是看不懂啊,有大神帮忙解答一下不?
    8 条回复    2017-02-22 15:49:50 +08:00
    hgjian
        1
    hgjian  
    OP
       2017-02-22 14:42:52 +08:00
    我是按照网上搜索来的教程设置的,结果就是不行,有人可以帮忙解决一下吗?
    defunct9
        2
    defunct9  
       2017-02-22 14:58:46 +08:00
    这个方法不灵了,经常会让你输入识别码,用 sni 吧,也会被封。
    所以老老实实的 ss 吧
    hgjian
        3
    hgjian  
    OP
       2017-02-22 15:03:59 +08:00
    @defunct9 请问你说的 SS 是指 Shadowsocks 代理吗?
    uzumaki
        4
    uzumaki  
       2017-02-22 15:30:11 +08:00
    @hgjian 99%确定是 Shadowsocks
    defunct9
        5
    defunct9  
       2017-02-22 15:37:59 +08:00
    Yes ,it is.
    hgjian
        6
    hgjian  
    OP
       2017-02-22 15:40:58 +08:00
    @defunct9 @uzumaki 感谢回复。
    fudanglp
        7
    fudanglp  
       2017-02-22 15:46:25 +08:00
    hgjian
        8
    hgjian  
    OP
       2017-02-22 15:49:50 +08:00
    @fudanglp 谢谢,我去看一下
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1303 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 23:29 · PVG 07:29 · LAX 15:29 · JFK 18:29
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.