为什么 nginx 会限制来自同一 IP 的连接?打开 VPN 即可解决问题

为什么 nginx 会限制来自同一 IP 的连接?打开 VPN 即可解决问题

因此,我们在内部使用 nginx 代理作为生产站点的前端。此 nginx 代理会自动为我们的站点提供 LetsEncrypt 证书。

但是,当我们从办公室访问我们的网站时,或者当有两台或更多台计算机访问我们网站的任何地点时,第二台计算机对 HTTPS(443)网站的响应速度会非常慢(端口打开需要 > 30 秒)。

HTTP(端口 80)站点运行良好,没有任何性能下降。


我说的慢的意思是,如果我从第二台计算机执行操作telnet nubela.co 443,TCP 连接将需要 30 多秒才能被接受。

但是,如果我这样做telnet nubela.co 80,它会立即返回(带有 302 状态代码到 HTTPS)


第 N 台(其中 N >= 2)计算机是指任何处于活动状态的计算机,而第 1 台计算机也处于活动状态。计算机 1 无需主动浏览我们的生产站点即可发生此问题。

要复制此情况,您可以尝试https://nubela.co在一台计算机上访问,然后使用另一台计算机(来自同一网络)访问该网站。第一台计算机将快速加载,第二台计算机将遇到性能问题。


我不知道为什么会发生这种情况。你能帮助我吗?

这是我的nginx.conf

# See: https://github.com/h5bp/server-configs-nginx/ for reference

worker_processes auto;
# worker_rlimit_nofile 100000;

events {
    worker_connections 10240;
    multi_accept on;
}

http {
    # Send TCP fast
    sendfile on;
    sendfile_max_chunk 512k;
    tcp_nopush on;
    tcp_nodelay on;

    # Timeouts
    client_body_timeout 30s;
    client_header_timeout 15s;
    keepalive_timeout 20;  # overwrite this to be higher if over HTTPS
    keepalive_requests 5;
    reset_timedout_connection on;

    # Extra security
    server_tokens off; # disable exposing server details in headers
    # add_header X-Content-Type-Options nosniff;
    # add_header X-XSS-Protection "1; mode=block";
    add_header "X-UA-Compatible" "IE=Edge"; # force latest IE

    # Content Types
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;

    # Client request buffer sizes
    client_header_buffer_size    2k;
    client_body_buffer_size      2m;
    client_body_in_single_buffer on;
    client_max_body_size         1g;
    large_client_header_buffers  8 128k; # Will return 414/400 if request line or field is too large

    # For other backends
    proxy_buffers               64 32k;  # 2mb total
    proxy_buffer_size           32k;     # initial
    proxy_busy_buffers_size     512k;    # allow 1/4 busy

    # File descriptor metadata cache
    open_file_cache          off; # max=10000 inactive=30s;
    open_file_cache_valid    60s;
    open_file_cache_min_uses 1;
    open_file_cache_errors   on;

    # For websockets support
    map $http_upgrade $connection_upgrade {
        default Upgrade;
        ''      keep-alive;
    }

    # Gzip compression config
    gzip on;
    gzip_http_version 1.1;
    gzip_disable "msie6";
    gzip_proxied no_etag no_last_modified;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_vary on;
    gzip_types
        application/atom+xml
        application/javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rss+xml
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/opentype
        image/bmp
        image/svg+xml
        image/x-icon
        text/cache-manifest
        text/css
        text/plain
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
    # text/html is always compressed by HttpGzipModule

    # SSL config
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:100m;
    ssl_session_tickets off;

    ssl_buffer_size 1400;
    ssl_dhparam /opt/autossl/data/dhparam.pem;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    include /opt/autossl/sites/*.conf;
}

这是我们的 vhost 文件

server {
    server_name {{ SERVER_NAMES }};

    listen 443 ssl;

    ssl_certificate /opt/autossl/data/certs/{{ DOMAIN_NAME }}.crt;
    ssl_certificate_key /opt/autossl/data/certs/{{ DOMAIN_NAME }}.key;

    add_header Strict-Transport-Security "max-age=2592000; preload";

    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /opt/autossl/challenges/;
        try_files $uri =404;
    }

    location / {
        proxy_pass http://{{ UPSTREAM_ADDRESS }};
        proxy_set_header Host            $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-for $remote_addr;
        port_in_redirect off;
        proxy_connect_timeout 300;
    }
}

server {
    listen 80;
    server_name {{ SERVER_NAMES }};
    return 302 https://$host$request_uri;
}

我想补充一点,这个 nginx 部署是通过 Ansible 作为 Docker 实例部署的

- name: run autossl server
  docker:
    name: autossl
    image: "nubelacorp/nubela-autossl"
    state: reloaded
    pull: always
    restart_policy: always
    ports:
      - 0.0.0.0:80:80
      - 0.0.0.0:443:443
    volumes:
      - '/opt/autossl/data:/opt/autossl/data'
    log_driver: 'json-file'
    log_opt:
      max-size: '50m'
      max-file: '2'

答案1

@Nubela 我已在同一网络上使用两个不同的系统(Mac Books Pro)进行了测试,您的网站加载速度与第一个系统一样快。

您的 nginx 配置也看起来不错。检查您的 ISP 或本地缓存设置可能有助于您解决此问题。

相关内容