我在尝试使用 NGINX 作为反向代理覆盖证书时遇到问题,将所有请求转发到具有旧证书(TLS 1.0)的 Apache 服务器
这是我的 .conf 文件的输出:
server {
listen 80;
server_name provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
}
server {
listen 443 ssl http2;
server_name provision.metrotel.com.ar;
ssl_certificate /etc/nginx/certs/metrotel.crt;
ssl_certificate_key /etc/nginx/certs/metrotel.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error_prov.log;
location / {
proxy_pass http://prov.metrotel.com.ar/;
proxy_ssl_certificate /etc/nginx/certs/metrotel.crt;
proxy_ssl_certificate_key /etc/nginx/certs/metrotel.key;
}
}
http://prov.metrotel.com.ar/是网站所在的服务器,并且它有旧证书。有没有办法使用我 nginx 反向代理中的证书覆盖该证书?
我尝试了几种方法,但总是得到“NET::ERR_SSL_OBSOLETE_VERSION”
客户端 Chrome 开启(172.20.1.4)
代理(srv-nginx-a.metrotel.local 上的 Nginx -192.168.151.112)
后端(prov.metrotel.com.ar)192.168.59.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
11:50:59.260014 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [S], seq 979144705, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0
11:50:59.260165 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [S.], seq 3107298579, ack 979144706, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:50:59.260397 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1, win 1825, length 0
11:50:59.282128 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1:536, ack 1, win 1825, length 535
11:50:59.282204 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 536, win 237, length 0
11:50:59.282659 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1:153, ack 536, win 237, length 152
11:50:59.282869 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 153, win 1892, length 0
11:50:59.293101 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 536:587, ack 153, win 1892, length 51
11:50:59.332644 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 587, win 237, length 0
11:50:59.332935 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 587:1300, ack 153, win 1892, length 713
11:50:59.332967 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 1300, win 248, length 0
11:50:59.333185 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [S], seq 1924765737, win 29200, options [mss 1460,sackOK,TS val
180831520 ecr 0,nop,wscale 7], length 0
11:50:59.333584 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [S.], seq 4244116336, ack 1924765738, win 5792, options [mss 1460,sackOK,TS val 3558238853 ecr 180831520,nop,wscale 7], length 0
11:50:59.333605 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831521 ecr 3558238853], length 0
11:50:59.333639 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831521 ecr 3558238853], length 756: HTTP: GET / HTTP/1.0
11:50:59.333915 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0
11:50:59.334144 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 519: HTTP: HTTP/1.1 302 Found
11:50:59.334157 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831521 ecr 3558238854], length 0
11:50:59.334169 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0
11:50:59.334236 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831521 ecr 3558238854], length 0
11:50:59.334272 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 153:1048, ack 1300, win 248, length 895
11:50:59.334438 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190:
Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0
11:50:59.373720 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1048, win 2004, length 0
11:50:59.407267 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1300:2013, ack 1048, win 2004, length 713
11:50:59.407531 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1460,sackOK,TS val 180831594 ecr 0,nop,wscale 7], length 0
11:50:59.407867 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [S.], seq 2604868674, ack 3919551833, win 5792, options [mss 1460,sackOK,TS val 3558238928 ecr 180831594,nop,wscale 7], length 0
11:50:59.407897 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831595 ecr 3558238928], length 0
11:50:59.407950 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831595 ecr 3558238928], length 756: HTTP: GET / HTTP/1.0
11:50:59.408211 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0
11:50:59.408605 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 519: HTTP: HTTP/1.1 302 Found
11:50:59.408627 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831596 ecr 3558238928], length 0
11:50:59.408642 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0
11:50:59.408711 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831596 ecr 3558238928], length 0
11:50:59.408748 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1048:1943, ack 2013, win 259, length 895
11:50:59.408974 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238929 ecr 180831596], length 0
11:50:59.408994 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1943, win 2116, length 0
答案1
ssl_protocols TLSv1.2 TLSv1.3;
尝试通过添加到您的部分来打开 TLS1.2 和 1.3 server
,如下所示:
server {
listen 80;
server_name provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
ssl_protocols TLSv1.2 TLSv1.3;
}
答案2
在 wireshark pcap 上,客户端 (Chrome) 和代理 (Nginx) 之间的连接是 TLS 1.2。另一部分 (Nginx-Apache 旧 TLS) 仅为 HTTP。代理工作正常,客户端和服务器之间“无”连接,代理始终处于中间。