nginx+http2:上游过早关闭连接,PROTOCOL_ERROR

tag-icon tag-icon nginx reverse-proxy http-2
nginx+http2:上游过早关闭连接,PROTOCOL_ERROR

在我的服务器上,我使用默认的docker运行nginxnginx图像(版本 1.13.8)作为 Lychee 的反向代理(使用奇妙瀑布/荔枝),一款用 PHP 编写的图片库软件。据我所知,Lychee 镜像本身也运行着 php7.1-fpm 版本的 nginx。

图库运行正常,只有当我尝试下载图片或相册时,浏览器才会出现奇怪的错误。Chromium 显示“失败 - 网络错误”,其他浏览器也会显示类似的错误消息。下载完成后会出现此错误,当使用保留失败下载的浏览器时,可以看到下载的文件实际上已经完成。

该错误仅当通过 nginx 访问 Lychee 并使用 HTTP/2 时才会出现。nginx 日志报告:

2018/01/15 15:37:34 [error] 8#8: *2960 upstream prematurely closed connection while sending to client, client: 192.168.255.1, server: example.com, request: "GET /2018/php/index.php?function=Photo::getArchive&photoID=123&password= HTTP/2.0", upstream: "http://10.93.1.23:8888/php/index.php?function=Photo::getArchive&photoID=123&password=", host: "example.com"

Lychee 日志未报告任何内容。

当尝试使用下载文件时curl -v,这是输出:

*   Trying 1.2.3.4...
* TCP_NODELAY set
* Connected to example.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [226 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2754 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [556 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=example.com
*  start date: Dec  4 10:54:54 2017 GMT
*  expire date: Mar  4 10:54:54 2018 GMT
*  subjectAltName: host "example.com" matched cert's "example.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55e8df551160)
} [5 bytes data]
> GET /2018/php/index.php?function=Photo::getArchive&photoID=123&password= HTTP/2
> Host: example.com
> User-Agent: curl/7.57.0
> Accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200 
< server: nginx/1.13.8
< date: Mon, 15 Jan 2018 15:37:34 GMT
< content-type: application/octet-stream
< content-length: 530149
< x-powered-by: PHP/7.1.2
< set-cookie: PHPSESSID=123; path=/2018/
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-disposition: attachment; filename="IMG_4872.jpg"
< strict-transport-security: max-age=31536000
< 
{ [3691 bytes data]
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, Client hello (1):
} [2 bytes data]

当使用 HTTP/1.1 下载时,一切正常:

*   Trying 1.2.3.4...
* TCP_NODELAY set
* Connected to example.com (1.2.3.4) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [223 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2754 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [556 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=example.com
*  start date: Dec  4 10:54:54 2017 GMT
*  expire date: Mar  4 10:54:54 2018 GMT
*  subjectAltName: host "example.com" matched cert's "example.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> GET /2018/php/index.php?function=Photo::getArchive&photoID=1234&password= HTTP/1.1
> Host: example.com
> User-Agent: curl/7.57.0
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx/1.13.8
< Date: Mon, 15 Jan 2018 15:43:36 GMT
< Content-Type: application/octet-stream
< Content-Length: 530149
< Connection: keep-alive
< X-Powered-By: PHP/7.1.2
< Set-Cookie: PHPSESSID=1234; path=/2018/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Disposition: attachment; filename="IMG_4872.jpg"
< Strict-Transport-Security: max-age=31536000
< 
{ [3691 bytes data]
* Connection #0 to host example.com left intact

最后,这是直接访问Lychee时的输出:

*   Trying 10.93.1.23...
* TCP_NODELAY set
* Connected to 10.93.1.23 (10.93.1.23) port 8888 (#0)
> GET /php/index.php?function=Photo::getArchive&photoID=1234&password= HTTP/1.1
> Host: 10.93.1.23:8888
> User-Agent: curl/7.56.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 15 Jan 2018 15:46:06 GMT
< Content-Type: application/octet-stream
< Content-Length: 530149
< Connection: keep-alive
< X-Powered-By: PHP/7.1.2
< Set-Cookie: PHPSESSID=1234; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Disposition: attachment; filename="IMG_4872.jpg"
< 
{ [14070 bytes data]
* Connection #0 to host 10.93.1.23 left intact

我不明白为什么 nginx 说 Lychee 过早关闭了连接,而实际上整个文件已经传输完毕(Content-Length 也匹配),并且手动运行 curl 也没有显示任何错误。有人知道吗?

相关内容