Nginx 反向代理覆盖证书

2024-6-1 • tag-icon

我在尝试使用 NGINX 作为反向代理覆盖证书时遇到问题，将所有请求转发到具有旧证书（TLS 1.0）的 Apache 服务器

这是我的 .conf 文件的输出：

server {
listen        80;
server_name   provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
}

server {
listen 443 ssl http2;
server_name provision.metrotel.com.ar;
ssl_certificate /etc/nginx/certs/metrotel.crt;
ssl_certificate_key /etc/nginx/certs/metrotel.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error_prov.log;
location / {
proxy_pass http://prov.metrotel.com.ar/;
proxy_ssl_certificate           /etc/nginx/certs/metrotel.crt;
proxy_ssl_certificate_key       /etc/nginx/certs/metrotel.key;

}
}

http://prov.metrotel.com.ar/是网站所在的服务器，并且它有旧证书。有没有办法使用我 nginx 反向代理中的证书覆盖该证书？

我尝试了几种方法，但总是得到“NET::ERR_SSL_OBSOLETE_VERSION”

客户端 Chrome 开启（172.20.1.4）

代理（srv-nginx-a.metrotel.local 上的 Nginx -192.168.151.112）

后端（prov.metrotel.com.ar）192.168.59.20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

11:50:59.260014 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [S], seq 979144705, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0

11:50:59.260165 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [S.], seq 3107298579, ack 979144706, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

11:50:59.260397 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1, win 1825, length 0

11:50:59.282128 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1:536, ack 1, win 1825, length 535

11:50:59.282204 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 536, win 237, length 0

11:50:59.282659 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1:153, ack 536, win 237, length 152

11:50:59.282869 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 153, win 1892, length 0

11:50:59.293101 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 536:587, ack 153, win 1892, length 51

11:50:59.332644 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 587, win 237, length 0

11:50:59.332935 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 587:1300, ack 153, win 1892, length 713

11:50:59.332967 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 1300, win 248, length 0

11:50:59.333185 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [S], seq 1924765737, win 29200, options [mss 1460,sackOK,TS val 
180831520 ecr 0,nop,wscale 7], length 0

11:50:59.333584 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [S.], seq 4244116336, ack 1924765738, win 5792, options [mss 1460,sackOK,TS val 3558238853 ecr 180831520,nop,wscale 7], length 0

11:50:59.333605 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831521 ecr 3558238853], length 0

11:50:59.333639 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831521 ecr 3558238853], length 756: HTTP: GET / HTTP/1.0

11:50:59.333915 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0

11:50:59.334144 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 519: HTTP: HTTP/1.1 302 Found

11:50:59.334157 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831521 ecr 3558238854], length 0

11:50:59.334169 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0

11:50:59.334236 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831521 ecr 3558238854], length 0

11:50:59.334272 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 153:1048, ack 1300, win 248, length 895

11:50:59.334438 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: 
Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0

11:50:59.373720 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1048, win 2004, length 0

11:50:59.407267 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1300:2013, ack 1048, win 2004, length 713

11:50:59.407531 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1460,sackOK,TS val 180831594 ecr 0,nop,wscale 7], length 0

11:50:59.407867 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [S.], seq 2604868674, ack 3919551833, win 5792, options [mss 1460,sackOK,TS val 3558238928 ecr 180831594,nop,wscale 7], length 0

11:50:59.407897 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831595 ecr 3558238928], length 0

11:50:59.407950 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831595 ecr 3558238928], length 756: HTTP: GET / HTTP/1.0

11:50:59.408211 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0

11:50:59.408605 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 519: HTTP: HTTP/1.1 302 Found

11:50:59.408627 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831596 ecr 3558238928], length 0

11:50:59.408642 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0

11:50:59.408711 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831596 ecr 3558238928], length 0

11:50:59.408748 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1048:1943, ack 2013, win 259, length 895

11:50:59.408974 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238929 ecr 180831596], length 0

11:50:59.408994 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1943, win 2116, length 0

答案1

ssl_protocols TLSv1.2 TLSv1.3;尝试通过添加到您的部分来打开 TLS1.2 和 1.3 server，如下所示：

server {
    listen        80;
    server_name   provision.metrotel.com.ar;
    return 301 https://provision.metrotel.com.ar$request_uri;
    ssl_protocols TLSv1.2 TLSv1.3;
}

答案2

在 wireshark pcap 上，客户端 (Chrome) 和代理 (Nginx) 之间的连接是 TLS 1.2。另一部分 (Nginx-Apache 旧 TLS) 仅为 HTTP。代理工作正常，客户端和服务器之间“无”连接，代理始终处于中间。

答案1

答案2

相关内容