我正在配置新的 Nginx 服务器,它将用作反向代理。我们有旧的 Debian 服务器,其中 Apache 已启动并正在运行。在此 Apache 服务器上,我想隐藏在代理后面的仅具有 HTTPS 访问权限的站点。
从代理到上游 Apache 的连接必须通过 HTTPS(服务器位于不同位置且 Apache 仅允许 HTTPS 访问)。
我的问题是 Nginx 到 Apache 的连接失败。通过 HTTPS 从浏览器到上游的正常连接没有问题。从同一代理到 Nginx 上游的连接正常。当 Nginx 尝试连接到上游 Apache 连接失败时重新协商握手失败
来自代理 Nginx(调试级别)的日志仅显示:
2016/04/07 15:51:08 [error] 5855#0: *1 upstream prematurely closed connection while reading response header from upstream, client: 94.113.97.9, server: procrastination.com, request: "GET / HTTP/1.1", upstream: "https://77.240.191.234:443/", host: "procrastination.com"
来自上游 Apache 的日志:
[Thu Apr 07 15:36:48 2016] [info] Initial (No.1) HTTPS request received for child 35 (server procrastination.com:443)
[Thu Apr 07 15:36:48 2016] [debug] ssl_engine_kernel.c(421): [client 83.167.254.21] Reconfigured cipher suite will force renegotiation
[Thu Apr 07 15:36:48 2016] [info] [client 83.167.254.21] Requesting connection re-negotiation
[Thu Apr 07 15:36:48 2016] [debug] ssl_engine_kernel.c(764): [client 83.167.254.21] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Apr 07 15:36:48 2016] [info] [client 83.167.254.21] Awaiting re-negotiation handshake
[Thu Apr 07 15:36:58 2016] [error] [client 83.167.254.21] Re-negotiation handshake failed: Not accepted by client!?
我的 Nginx 网站代理配置:
server {
listen 80;
listen 443 ssl;
server_name procrastination.com *.procrastination.com;
###
# SSL
###
ssl on;
ssl_certificate /etc/ssl/localcerts/procrastination.com/fullchain.pem;
ssl_certificate_key /etc/ssl/localcerts/procrastination.com/privkey.pem;
##
# Logging Settings
##
access_log /var/log/nginx/procrastination_proxy-access.log;
error_log /var/log/nginx/procrastination_proxy-error.log debug;
include /etc/nginx/snippets/common;
include /etc/nginx/snippets/proxy_params;
location / {
proxy_pass https://brigita_https;
proxy_ssl_name $host;
}
}
代理上 nginx.conf 的 SSL 相关部分:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
上游的 Apache 站点配置:
<VirtualHost 77.240.191.234:80>
ServerName procrastination.com
ServerAlias *.procrastination.com
DocumentRoot /var/www/procrastination-production/build/current/www
php_value newrelic.appname /var/www/procrastination-production/build/current/www
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L]
</VirtualHost>
<VirtualHost 77.240.191.234:443>
ServerName procrastination.com
ServerAlias *.procrastination.com
DocumentRoot /var/www/procrastination-production/build/current/www
php_value newrelic.appname /var/www/procrastination-production/build/current/www
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/ssl_procrastination_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl_procrastination_com.key
RewriteCond %{HTTP_HOST} !^www\..*$
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L]
</VirtualHost>
其他 Apache 配置值均采用默认设置。
知道可能是什么原因或在哪里寻找更多诊断数据吗?
答案1
解决了!
问题出在 Apache 上游的 SNI 上。Nginx 没有传递正确的参数,Apache 向其发送了错误的证书。
您需要设置proxy_ssl_server_name on在 Nginx 配置中。
只是改变:
location / {
proxy_pass https://brigita_https;
proxy_ssl_name $host;
}
到:
location / {
proxy_pass https://brigita_https;
proxy_ssl_name $host;
proxy_ssl_server_name on;
}