服务器重启后 nginx 路由中断

服务器重启后 nginx 路由中断

在 CentOS 服务器上,我安装了 nginx,它充当几个 Web 应用程序的代理。Nginx 配置为将对不同主机名的请求路由到不同的后端服务器。

该服务器已于几个月前设置完毕,到目前为止一切运行正常。重启后(这很可能也是配置 nginx 后的第一次重启),nginx 不再正确路由:它会将所有请求路由到同一个后端,无论主机名是什么!

已验证以下内容:

  • 所有后端应用程序都在运行并监听各自的端口(使用 netstat 验证)
  • nginx 配置没有错误(使用 sudo nginx -t 验证)
  • Nginx 正在正确读取所有配置文件(使用 sudo nginx -T 验证)
  • Nginx 没有输出任何错误(/var/log/nginx/error.log 为空,sudo journalctl -u nginx 没有显示任何表明错误的内容)

有问题的服务器包含 4 个应用程序(配置文件中名为“organizer”和“integration”的 2 个自定义后端应用程序、一个 mattermost 服务器和一个 gitea GIT 服务器)。所有 http 流量都重定向到 https。

尽管进行了配置,但所有内容都会重定向到组织者。如果组织者后端关闭,则什么都不起作用。

以下是 nginx 输出的配置(已编辑掉域名),不相关的部分已被删除:

# configuration file /etc/nginx/nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

# configuration file /usr/share/nginx/modules/mod-http-geoip.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so";

# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";

# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";

# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";

# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";

# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";

# configuration file /etc/nginx/conf.d/http_to_https.conf:
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# configuration file /etc/nginx/conf.d/integration.conf:
server {
    listen          443 ssl http2;
    listen          [::]:443 ssl http2;
    server_name     integration.mydomain.org;

    ssl on;
    ssl_certificate     /etc/nginx/ssl/mydomain_wildcard.pem;
    ssl_certificate_key /etc/nginx/ssl/mydomain_wildcard.key;

    location / {
        proxy_pass      http://localhost:3080;
        proxy_set_header    Host        $host;
        proxy_set_header    X-Real-IP   $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify SUCCESS;
        proxy_set_header    X-Client-DN $ssl_client_s_dn;
        proxy_set_header    X-SSL-Subject   $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer    $ssl_client_i_dn;
        proxy_read_timeout  1800;
        proxy_connect_timeout   1800;
    }
}

# configuration file /etc/nginx/conf.d/mattermost.conf:
server {
    listen          443 ssl http2;
    listen          [::]:443 ssl http2;
    server_name     chat.mydomain.org;

    ssl on;
    ssl_certificate     /etc/nginx/ssl/mydomain_wildcard.pem;
    ssl_certificate_key /etc/nginx/ssl/mydomain_wildcard.key;

    location / {
        proxy_pass      http://localhost:8065;
        proxy_set_header    Host        $host;
        proxy_set_header    X-Real-IP   $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify SUCCESS;
        proxy_set_header    X-Client-DN $ssl_client_s_dn;
        proxy_set_header    X-SSL-Subject   $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer    $ssl_client_i_dn;
        proxy_read_timeout  1800;
        proxy_connect_timeout   1800;
    }
}

# configuration file /etc/nginx/conf.d/git.conf:
server {
    listen          443 ssl http2;
    listen          [::]:443 ssl http2;
    server_name     git.mydomain.org;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/git.mydomain.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/git.mydomain.org/privkey.pem; # managed by Certbot

    location / {
        proxy_pass      http://localhost:3000;
        proxy_set_header    Host        $host;
        proxy_set_header    X-Real-IP   $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify SUCCESS;
        proxy_set_header    X-Client-DN $ssl_client_s_dn;
        proxy_set_header    X-SSL-Subject   $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer    $ssl_client_i_dn;
        proxy_read_timeout  1800;
        proxy_connect_timeout   1800;
    }
}

# configuration file /etc/nginx/conf.d/organizer.conf:
server {
    listen          443 ssl http2;
    listen          [::]:443 ssl http2;
    server_name     organizer.mydomain.org;

    ssl on;
    ssl_certificate     /etc/nginx/ssl/mydomain_wildcard.pem;
    ssl_certificate_key /etc/nginx/ssl/mydomain_wildcard.key;

    location / {
        proxy_pass      http://localhost:3080;
        proxy_set_header    Host        $host;
        proxy_set_header    X-Real-IP   $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify SUCCESS;
        proxy_set_header    X-Client-DN $ssl_client_s_dn;
        proxy_set_header    X-SSL-Subject   $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer    $ssl_client_i_dn;
        proxy_read_timeout  1800;
        proxy_connect_timeout   1800;
    }
}

这个问题相当令人费解,除了服务器无法按预期工作之外,我找不到任何问题。有谁看到(或知道……)nginx 忽略其配置并将所有内容路由到同一后端的原因吗?

附加信息:

  • Nginx 的版本是 1.12.2(自服务器安装以来尚未更新)

答案1

您能提供一下您现在运行的 Nginx 版本吗?与您安装的版本有什么区别吗?

此外,您是否尝试过修改配置以一次运行一个域,以便查找更多异常行为并收集有关此问题的更多信息?

答案2

问题原因已经找到,而且根本与 nginx 无关!

在我使用 nginx 之前,当时只有一个后端应用程序。我设置了一些防火墙规则,将端口 80 和 443 转发到单个后端。安装 nginx 时,防火墙规则被删除,为 nginx 腾出空间 - 但显然不是永久的!

因此,当时一切都正常。直到重新启动,防火墙规则才重新加载到其以前的配置。尽管检查了 netstat 和 iptables,但一切看起来都很好。

在尝试 nikpelgr 的建议(一次尝试一个应用程序)时发现了这个问题。我发现这一切都不重要。关闭 nginx 后,只是为了尝试,我的服务器仍然处于运行状态...

得到教训:

  • 一切设置完成后,尝试重启服务器。如果服务器坏了,至少一切都还记忆犹新……
  • Netstat 没有考虑firewalld。

相关内容