请求帮助解决 Nginx 反代 google 在添加 upstream 的 SSL 握手失败问题，谢谢帮助！

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

› NGINX

› NGINX Trac

› 3rd Party Modules

› Security Advisories

› CHANGES

› OpenResty

› ngx_lua

› Tengine

在线学习资源

› NGINX 开发从入门到精通

NGINX Modules

› ngx_echo

这是一个创建于 2815 天前的主题，其中的信息可能已经有所发展或是发生改变。

配置文件如下：
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
multi_accept on;
use epoll;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
autoindex on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120;
types_hash_max_size 2048;
gzip on;
gzip_disable "msie6";
server_tokens off;
proxy_cache_path /var/www/cache/ levels=1:2 keys_zone=one:100m inactive=1d max_size=1g;
proxy_cache_key $host$request_uri;

# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;
# 导入 sever 配置

# **************************************************
upstream google{
server 172.217.6.99 max_fails=3 fail_timeout=10s;
server 172.217.0.3 max_fails=3 fail_timeout=10s;
server 172.217.1.35 max_fails=3 fail_timeout=10s;
}
# **************************************************

server {
listen 80;
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/nginx/example.com/fullchain1.pem;
ssl_certificate_key /etc/nginx/example.com/privkey1.pem;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
{
return 403;
}
if ( $host != "example.com" ) {
return 403;
}
if ($scheme = http) {
rewrite ^/(.*) https://$server_name/$1 permanent;
}

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

location / {

access_log /etc/nginx/log.log;
error_log /etc/nginx/error.log error;
proxy_cache one;
proxy_cache_valid 200 302 2h;
proxy_cache_valid 404 1h;
proxy_buffering off;

proxy_pass https://google;

proxy_redirect https://www.google.com/ /;
proxy_redirect off;

proxy_set_header Host $proxy_host;

proxy_cookie_domain google.com example.com;

proxy_set_header Accept-Encoding "";
proxy_set_header referer "https://$proxy_host$request_uri";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Language "zh-CN";
proxy_set_header Cookie "PREF=ID=047818f19f6de346:U=0f622f33dd8549d11:FF=25:LD=zh-CN:NW=1:TM=1325238577:LM=1332342444:GM=5:SG=1:S=rE01SyJh2w1IQ-Maw";
sub_filter_types text/css text/xml text/javascript application/json application/javascript;
sub_filter www.google.com.hk example.com;
sub_filter_once off;

} # 结束 location
location /textinputassistant {
proxy_pass https://www.google.com/textinputassistant/;
proxy_set_header Accept-Encoding "";
} # 结束 location
location /_ {
proxy_pass https://apis.google.com/_/;
proxy_set_header Accept-Encoding "";
} # 结束 location
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
} # 结束 location
} # 结束 server
} # 结束 http

测试以后发现不能访问 google ，出现如下的错误日志：
13143#13143: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream

本人英语不好， google 发现好多英文说明，可是看不懂啊，有大神帮忙解答一下不？

8 条回复 • 2017-02-22 15:49:50 +08:00