haproxy 使用选项 ssl-hello-chk 时出现错误 400

Question

您可以增加 apache 日志级别以获取有关 HAPROXY hello 请求的更多信息。

要查看发生了什么，您可以使用 curl 并打开详细消息：

卷曲-k -vhttps://real-https-apache.com

Curl 应该会告知您有关不同进程的信息，包括客户端问候语和服务器问候语。

然后还检查 apache 日志

此类 curl 请求如下所示：

$ curl -k -v https://graph.facebook.com
* About to connect() to graph.facebook.com port 443 (#0)
*   Trying 66.220.146.100... connected
* Connected to graph.facebook.com (66.220.146.100) port 443 (#0)
* error setting certificate verify locations, continuing anyway:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
*        start date: 2010-01-13 00:00:00 GMT
*        expire date: 2013-04-11 23:59:59 GMT
*        common name: *.facebook.com (matched)
*        issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1
> Host: graph.facebook.com
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private, no-cache, no-store, must-revalidate
< Expires: Sat, 01 Jan 2000 00:00:00 GMT
< Location: http://developers.facebook.com/docs/api
< Pragma: no-cache
< X-FB-Rev: 575092
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: sYq1u5Ffp1JE7p5IafErxiU6MNT6i1fXCEkn51nFxr8=
< Date: Mon, 18 Jun 2012 10:49:17 GMT
< Connection: keep-alive
< Content-Length: 0
< 
* Connection #0 to host graph.facebook.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Answer 1

您可以增加 apache 日志级别以获取有关 HAPROXY hello 请求的更多信息。

要查看发生了什么，您可以使用 curl 并打开详细消息：

卷曲-k -vhttps://real-https-apache.com

Curl 应该会告知您有关不同进程的信息，包括客户端问候语和服务器问候语。

然后还检查 apache 日志

此类 curl 请求如下所示：

$ curl -k -v https://graph.facebook.com
* About to connect() to graph.facebook.com port 443 (#0)
*   Trying 66.220.146.100... connected
* Connected to graph.facebook.com (66.220.146.100) port 443 (#0)
* error setting certificate verify locations, continuing anyway:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
*        start date: 2010-01-13 00:00:00 GMT
*        expire date: 2013-04-11 23:59:59 GMT
*        common name: *.facebook.com (matched)
*        issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1
> Host: graph.facebook.com
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private, no-cache, no-store, must-revalidate
< Expires: Sat, 01 Jan 2000 00:00:00 GMT
< Location: http://developers.facebook.com/docs/api
< Pragma: no-cache
< X-FB-Rev: 575092
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: sYq1u5Ffp1JE7p5IafErxiU6MNT6i1fXCEkn51nFxr8=
< Date: Mon, 18 Jun 2012 10:49:17 GMT
< Connection: keep-alive
< Content-Length: 0
< 
* Connection #0 to host graph.facebook.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

haproxy 使用选项 ssl-hello-chk 时出现错误 400

答案1

相关内容