V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
ssbg2
V2EX  ›  Linux

nginx 使用“listen ssl”不行,反倒是使用过时的“ssl on”才行,太奇怪了

  •  
  •   ssbg2 · 2020-10-14 10:33:59 +08:00 · 3561 次点击
    这是一个创建于 1504 天前的主题,其中的信息可能已经有所发展或是发生改变。
    如题,新搭建的服务器,上面要用 NGINX 做反向代理,然后之前的配置不知道为什么不生效,提示 ERR_SSL_PROTOCOL_ERROR,看日志也是不走 SSL,折腾了一圈也不行,后来又新建了一台虚拟机,用 yum 安装 nginx 和 openssl,
    信息如下:

    nginx version: nginx/1.16.1
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
    built with OpenSSL 1.0.2k-fips 26 Jan 2017
    TLS SNI support enabled
    configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'



    然后配置如下:



    # For more information on configuration, see:
    # * Official English Documentation: http://nginx.org/en/docs/
    # * Official Russian Documentation: http://nginx.org/ru/docs/

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;

    # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;

    events {
    worker_connections 1024;
    }

    http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;


    # Settings for a TLS enabled server.
    #
    server {
    listen 443 ssl http2 default_server;
    listen 80;
    listen [::]:443 ssl http2 default_server;
    keepalive_timeout 70;
    server_name www.xxx.com xxx.top;
    root /usr/share/nginx/html;
    ssl_certificate "/etc/letsencrypt/live/xxx.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/xxx.com/privkey.pem";
    ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_protocols TLSv1.2;
    ssl_ciphers EECDH+AESGCM:EECDH+AES;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;


    client_max_body_size 100m;
    # index index.php;

    location / {
    proxy_pass http://192.168.20.197;
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Cookie $http_cookie;
    chunked_transfer_encoding off;
    }


    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
    }
    }


    怎么样都不行,然后不得已,加了个 ssl on,结果虽然检查说已经过时了,但是反而能用了。


    这是什么鬼?昨天搞到今天实在是抓狂了,谷歌翻了个遍也没找到原因,哪位大哥来给指点下?
    6 条回复    2020-10-15 11:01:00 +08:00
    jjeyz
        1
    jjeyz  
       2020-10-14 10:45:44 +08:00 via Android
    “listen 怎么都不可以”报错信息是什么?
    fangMu
        2
    fangMu  
       2020-10-14 13:38:45 +08:00
    三个 listen 改成下面试试
    listen 80;
    listen 443 ssl;
    masker
        3
    masker  
       2020-10-14 13:59:30 +08:00 via Android
    挺难的,贴错误日志
    seers
        4
    seers  
       2020-10-14 14:16:38 +08:00
    你在 80 端口加个 301 跳转
    ssbg2
        5
    ssbg2  
    OP
       2020-10-15 09:09:37 +08:00
    @jjeyz 看 access_log 是这样:
    192.168.20.252 - - [14/Oct/2020:10:55:39 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x89%\x07\xE2\xA9\x05\x8B\xF5\x98\x1A\xBCz\xEDs\x13T\x07m\xF1\xF17\xA5\xBB\x1C\xECo0G\x05G\x94q h\xA8\xDF>U^\xD0\x86\xBA\xA8\xF6\x022\x84x\xCBc1\x19\x07\xCB\x9B\xA5\xC5\x22OE\xD0-.\xF9l\x00\x22" 400 157 "-" "-" "-"
    192.168.20.252 - - [14/Oct/2020:10:55:39 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x8E\x04\x12\xD2\x9D\x5Cmjz\xF6u\x85\x03\xCD\xB1\xC6\xF8#\xA5\xE4d\xD24\x91\x05t\xC9\x03\xEE\xD9/\xE8 h\xA8\xDF>U^\xD0\x86\xBA\xA8\xF6\x022\x84x\xCBc1\x19\x07\xCB\x9B\xA5\xC5\x22OE\xD0-.\xF9l\x00\x22\x8A\x8A\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-" "-"
    192.168.20.252 - - [14/Oct/2020:10:55:40 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x15jBHy{\x03" 400 157 "-" "-" "-"

    看错误信息是这样:
    2020/10/14 01:13:08 [debug] 28989#0: epoll: fd:14 ev:2001 d:00007F1D66D6F2E1
    2020/10/14 01:13:08 [debug] 28989#0: *103 http check ssl handshake
    2020/10/14 01:13:08 [debug] 28989#0: *103 http recv(): 0
    2020/10/14 01:13:08 [info] 28989#0: *103 client closed connection while SSL handshaking, client: 192.168.20.252, server: 0.0.0.0:80
    2020/10/14 01:13:08 [debug] 28989#0: *103 close http connection: 14
    2020/10/14 01:13:08 [debug] 28989#0: *103 event timer del: 14: 28423684
    2020/10/14 01:13:08 [debug] 28989#0: *103 reusable connection: 0
    2020/10/14 01:13:08 [debug] 28989#0: *103 free: 000055CC9FDA3450, unused: 232
    2020/10/14 01:13:08 [debug] 28989#0: timer delta: 0
    2020/10/14 01:13:08 [debug] 28989#0: worker cycle
    2020/10/14 01:13:08 [debug] 28989#0: epoll timer: -1
    2020/10/14 01:14:01 [debug] 28987#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28988#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28991#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28990#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28984#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28985#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28987#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28988#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28983#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28991#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28990#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28992#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28984#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28985#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28983#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28992#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28986#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
    2020/10/14 01:14:01 [debug] 28991#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28990#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28986#0: accept on 0.0.0.0:80, ready: 0
    2020/10/14 01:14:01 [debug] 28984#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28983#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28987#0: posix_memalign: 000055CC9FDA3450:512 @16
    2020/10/14 01:14:01 [debug] 28988#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28991#0: timer delta: 53074
    2020/10/14 01:14:01 [debug] 28985#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28992#0: accept() not ready (11: Resource temporarily unavailable)
    2020/10/14 01:14:01 [debug] 28990#0: timer delta: 53074
    2020/10/14 01:14:01 [debug] 28984#0: timer delta: 53074
    2020/10/14 01:14:01 [debug] 28983#0: timer delta: 53074
    2020/10/14 01:14:01 [debug] 28987#0: *104 accept: 192.168.20.252:25694 fd:20
    2020/10/14 01:14:01 [debug] 28986#0: accept() not ready (11: Resource temporarily unavailable)
    ssbg2
        6
    ssbg2  
    OP
       2020-10-15 11:01:00 +08:00
    @fangMu 试过了,不行

    @seers 也不行,只要关闭 ssl on,就无法成功握手了。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1335 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 18:01 · PVG 02:01 · LAX 10:01 · JFK 13:01
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.