我试图在 nginx 上为客户端设置 https,但失败了
上传证书文件并在服务器配置中进行设置后,尝试使用 https 访问服务器时出现“安全连接失败”(FF)
我不太了解 nginx,所以我遵循了教程和 nginx.conf 上的示例
证书文件不是我生成的,是我的客户发送给我的,所以我不能确定它们没问题
我的 nginx 配置
server {
listen 80;
server_name almap-intranet.almapbbdo.com.br;
charset utf-8;
root /var/www/html/wordpress;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
#try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
server {
listen 443 ssl http2 default_server;
ssl on;
ssl_certificate /etc/cert/almapbbdo.com.br.crt;
ssl_certificate_key /etc/cert/almapbbdo.com.br.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers 'EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name almap-intranet.almapbbdo.com.br;
charset utf-8;
root /var/www/html/wordpress;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
#try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
nginx -t 表示配置正确
跑步
telnet almap-intranet.almapbbdo.com.br 443
它连接
跑步
curl -vvvvvv https://almap-intranet.almapbbdo.com.br
它给了我:
* Rebuilt URL to: https://almap-intranet.almapbbdo.com.br/
* Hostname was NOT found in DNS cache
* Trying 10.0.1.16...
* Connected to almap-intranet.almapbbdo.com.br (10.0.1.16) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to almap-intranet.almapbbdo.com.br:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to almap-intranet.almapbbdo.com.br:443
最后,尝试了
openssl s_client -debug -msg -connect almap-intranet.almapbbdo.com.br:443
它给了我这个:
CONNECTED(00000003)
>>> ??? [length 0005]
16 03 01 00 ab
>>> TLS 1.2Handshake [length 00ab], ClientHello
01 00 00 a7 03 03 7f af 3f af d0 5e f0 22 69 ce
19 29 e5 91 16 39 41 99 ac ed 2a 5c b0 8f 62 48
3a 28 64 e9 6a a0 00 00 38 c0 2c c0 30 00 9f cc
a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00
ff 01 00 00 46 00 0b 00 04 03 00 01 02 00 0a 00
0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00
16 00 00 00 17 00 00 00 0d 00 20 00 1e 06 01 06
02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03
01 03 02 03 03 02 01 02 02 02 03
write to 0x247a710 [0x248aea0] (176 bytes => 176 (0xB0))
0000 - 16 03 01 00 ab 01 00 00-a7 03 03 7f af 3f af d0 .............?..
0010 - 5e f0 22 69 ce 19 29 e5-91 16 39 41 99 ac ed 2a ^."i..)...9A...*
0020 - 5c b0 8f 62 48 3a 28 64-e9 6a a0 00 00 38 c0 2c \..bH:(d.j...8.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14 .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c .9.....3.....=.<
0060 - 00 35 00 2f 00 ff 01 00-00 46 00 0b 00 04 03 00 .5./.....F......
0070 - 01 02 00 0a 00 0a 00 08-00 1d 00 17 00 19 00 18 ................
0080 - 00 23 00 00 00 16 00 00-00 17 00 00 00 0d 00 20 .#.............
0090 - 00 1e 06 01 06 02 06 03-05 01 05 02 05 03 04 01 ................
00a0 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03 ................
read from 0x247a710 [0x2481bd3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1540328518
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
似乎是握手错误,但我不知道为什么。我尝试寻找错误并尝试了许多随机修复方法,但无济于事:总是出现相同的错误
我该如何更好地调试和缩小范围?我的配置可以吗?非常欢迎任何帮助
答案1
不确定这是否与此有关,但我注意到在 curl 命令输出中我看到
CApath: /etc/ssl/certs
然而在你的 nginx.conf 文件中我看到
ssl_certificate /etc/cert/almapbbdo.com.br.crt;
ssl_certificate_key /etc/cert/almapbbdo.com.br.key;
证书是否存在于两个位置?如果是,它们是相同的文件吗?
还注意到,当我尝试使用命令从互联网扫描 almap-intranet.almapbbdo.com.br 时nmap almap-intranet.almapbbdo.com.br
Starting Nmap 6.00 ( http://nmap.org ) at 2018-10-23 15:39 PDT
Nmap scan report for almap-intranet.almapbbdo.com.br (179.191.94.182)
Host is up (0.20s latency).
rDNS record for 179.191.94.182: mvx-179-191-94-182.mundivox.com
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 16.17 seconds
可能是防火墙的问题,但我没有看到任何端口 443 打开。