大家好,
我有一个具有有效 SSL 证书的 nginx 反向代理(通过 lets encrypt 完成),但我无法使 SSL 正常工作。
upstream backend_haakselsenkwaaksels_nl {
server amaya.leonweemen.nl:9050;
}
server {
listen 80;
server_name haakselsenkwaaksels.nl;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.haakselsenkwaaksels.nl;
return 301 https://haakselsenkwaaksels.nl$request_uri;
}
server {
listen 443 ssl;
server_name haakselsenkwaaksels.nl;
ssl_certificate /domain-certificates/haakselsenkwaaksels.nl/fullchain.pem;
ssl_certificate_key /domain-certificates/haakselsenkwaaksels.nl/privkey.pem;
# ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/haakselsenkwaaksels.nl.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass https://backend_haakselsenkwaaksels_nl;
proxy_read_timeout 90;
proxy_redirect https://127.0.0.1:9050 https://haakselsenkwaaksels.nl;
}
}
nginx 说我的配置很好:
weemen@amaya:/domain-certificates# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
我只能在常规访问日志 (/var/log/nginx/access.log) 中获取数据
XXX.XXX.XXX.XXX - - [30/Dec/2016:10:20:26 +0000] "\x16\x03\x01\x00\xD3\x01\x00\x00\xCF\x03\x03\xBD\x07\xDA" 400 182 "-" "-"
XXX.XXX.XXX.XXX - - [30/Dec/2016:10:20:26 +0000] "\x16\x03\x01\x00\xD3\x01\x00\x00\xCF\x03\x03\xABFB\xC158\x8AE\xF7V\xEE\xE2}%i\xF4\x86!\xFA\xCE\xF7\xF4l\xF55\xD0%Ev\xEE\xFFb\x00\x00$\xAA\xAA\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xCC\x14\xCC\x13\xC0\x09\xC0\x13\xC0" 400 182 "-" "-"
如果我连接 openssl 客户端,我会看到以下内容:
~ openssl s_client -connect haakselsenkwaaksels.nl:443
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1483094367
Timeout : 300 (sec)
Verify return code: 0 (ok)
我尝试了很多方法,但我真的没有其他选择,有人在这个配置中看到什么奇怪的东西吗?
如果您需要更多信息,请告诉我。
已经提前致以很多很多的谢意了。
答案1
问题出在我的docker容器中。那里的证书不可读,因为它是一个符号链接。
weemen@amaya:/# ls -la
total 404
drwxr-xr-x 27 root root 4096 Dec 29 15:12 .
drwxr-xr-x 27 root root 4096 Dec 29 15:12 ..
lrwxrwxrwx 1 root root 21 Dec 15 12:08 domain-certificates -> /etc/letsencrypt/live
weemen@amaya:/domain-certificates/haakselsenkwaaksels.nl# ls -la
total 8
drwxr-xr-x 2 root root 4096 Dec 30 17:46 .
drwx------ 7 root root 4096 Dec 30 17:46 ..
lrwxrwxrwx 1 root root 46 Dec 30 17:46 cert.pem -> ../../archive/haakselsenkwaaksels.nl/cert3.pem
lrwxrwxrwx 1 root root 47 Dec 30 17:46 chain.pem -> ../../archive/haakselsenkwaaksels.nl/chain3.pem
lrwxrwxrwx 1 root root 51 Dec 30 17:46 fullchain.pem -> ../../archive/haakselsenkwaaksels.nl/fullchain3.pem
lrwxrwxrwx 1 root root 49 Dec 30 17:46 privkey.pem -> ../../archive/haakselsenkwaaksels.nl/privkey3.pem
我使用以下命令将此文件夹挂载到我的 Docker 容器中:
--mount type=bind,source=/domain-certificates,destination=/domain-certificates
只有 ../../archive 在那里不可用