我在错误日志中收到很多类似这样的行:
[info] 7521#7521: *1061 peer closed connection in SSL handshake while SSL handshaking, client: 198.41.231.201, server: 0.0.0.0:443
[info] 7521#7521: *1063 client closed connection while waiting for request, client: 198.41.231.201, server: 0.0.0.0:443
[info] 7522#7522: *1369 client prematurely closed connection while sending response to client
[info] SSL_write() failed (104: Connection reset by peer) while sending response to client
正如您所看到的,它是一个“[info]”,所以我不知道这是否真的是一个问题,但是从昨天开始我的网络服务器就返回了错误,我不知道具体是哪些错误,cloudflare 说“网络服务器返回了一个未知错误”,有时它会返回“SSL 握手失败”。
这些错误昨天开始出现,但它经常发生(每7-10天一次),我认为这是主机的网络问题,但他们说网络很好......所以我有点迷茫了。
我在谷歌上搜索了这些错误,但遇到此错误的每个人都使用 nginx 作为反向代理,而我没有。
有人知道我该怎么修复它吗?欢迎任何帮助。
这是我的 nginx.conf:
load_module modules/ngx_http_modsecurity_module.so;
user nginx;
worker_processes auto;
#worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1000;
use epoll;
multi_accept on;
}
http {
limit_req_zone $http_x_forwarded_for zone=limit_req:10m rate=80r/s;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
client_header_timeout 60s;
client_body_timeout 60s;
client_max_body_size 2m;
client_header_buffer_size 4k;
client_body_buffer_size 1600k;
large_client_header_buffers 2 2k;
send_timeout 60s;
keepalive_timeout 15 15;
reset_timedout_connection on;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 1024;
ignore_invalid_headers on;
connection_pool_size 256;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
include mime.types;
default_type application/octet-stream;
# Compression gzip
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_min_length 256;
gzip_comp_level 6;
gzip_buffers 32 16k;
gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_file_cache max=5000 inactive=30s;
open_log_file_cache max=1024 inactive=30s min_uses=2;
# Php cache
fastcgi_cache_path /var/cache/fastcgi levels=1:2 keys_zone=phpcache:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control;
# SSL Settings
ssl_certificate /etc/nginx/ssl/cf_cert.pem;
ssl_certificate_key /etc/nginx/ssl/cf_key.pem;
ssl_client_certificate /etc/nginx/ssl/origin-pull-ca.pem;
ssl_verify_client on;
ssl_verify_depth 5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_buffer_size 4k;
# Logs
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# Include additional configuration
include /etc/nginx/cloudflare.inc;
etag off;
server_tokens off;
# Headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options deny always;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name domain.com;
root /home/user/domain/public;
index index.php index.html;
access_log /var/log/domain/domain.com.bytes bytes;
access_log /var/log/domain/domain.com.log combined buffer=64k flush=3m;
error_log /var/log/domain/domain.com.error.log info;
underscores_in_headers on;
include /etc/nginx/alias.conf;
location / {
include /etc/nginx/url_rewrite.conf;
location ~ [^/]\.php(/|$) {
try_files $uri =404;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_buffering off;
fastcgi_cache phpcache;
fastcgi_cache_valid 200 60m;
fastcgi_cache_methods GET;
limit_req zone=limit_req burst=2;
limit_req_status 429;
}
}
location ~ /\. {access_log off; deny all; return 404;}
disable_symlinks if_not_owner from=/home/user/domain/public;
}
}
答案1
我怀疑这些是连接问题,因为客户端以一种干净的方式关闭了连接。更有可能的是,端口扫描器正在检查端口后面隐藏的内容443(他可能会感到惊讶 :-) )。
您可以使用以下方法获得类似的效果:
telnet example.com https < /dev/null
openssl s_client -connect example.com:https < /dev/null
openssl s_client -connect example.com:https <<EOF
GET / HTTP/1.1
Host: example.com
EOF
编辑:如果您没有在端口上运行443,则端口扫描器的行为更容易理解:
SMTP它连接到端口并等待服务器横幅(由、IMAP和其他类型的服务器发送SSH)。超时后,它会断开连接。- 它连接到端口,执行 TLS 握手并等待服务器横幅(由以前协议的 TLS 版本发送)。超时后,它会断开连接。
- 它尝试发送 HTTP 请求。由于它对该页面不感兴趣,因此它会断开连接并推断您正在运行 HTTP 服务器。