nginx 1.10 代理https 釘一釘
環境:
centos6.5
nginx:1.10
openssl:1.0.1e-15
測試樣例一:
web訪問 https協議的URL https://test.xx.com/demo
nginx 開啟證書配置,代理後端非安全協議的url,例如:http://xx.xx.com/xx
server {
listen 443;
server_name test.xxxx.com;
ssl on;
ssl_certificate /etc/nginx/key_file/xxxx.crt;
ssl_certificate_key /etc/nginx/key_file/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/test.access.log;
error_log /var/log/nginx/test.error.log;
index index.html index.htm index.php index.jsp;
location /demo{
proxy_pass http://x.x.x.x/demo;
proxy_redirect off;
client_max_body_size 8m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60s;
}
}
前端訪問 https://test.xx.com/demo
這種模式在普通的後端server可以正常訪問頁面(數據轉發之類的),但在負責多樣式的頁面調試會出現相關樣式調用錯誤。
測試樣例二:
web訪問 https協議的URL https://test.xx.com/demo
nginx 開啟證書配置,代理後端安全協議的url,例如:https://xx.xx.com/xx
server {
listen 443;
server_name test.xxxx.com;
ssl on;
ssl_certificate /etc/nginx/key_file/xxxx.crt;
ssl_certificate_key /etc/nginx/key_file/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/test.access.log;
error_log /var/log/nginx/test.error.log;
index index.html index.htm index.php index.jsp;
location /demo{
proxy_pass https://x.x.x.x/demo;
proxy_redirect off;
client_max_body_size 8m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60s;
}
}
這種模式比較消耗後端性能。
此時:後端server https://172.10.18.34:8443/mpweb訪問正常,
前端訪問 https://test.xxxx.com/demo報502 錯誤,查訪問日誌
在代理與後端server之間的ssl協議會話的時候,出現一下錯誤:
[error] 7957#7957: *720292 SSL_do_handshake() failed (SSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib) while SSL handshaking to upstream, client: x.x.x.x, server: test.huiepay.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://172.10.18.34:8443/favicon.ico", host: "test.xxxx.com", referrer: "https://test.xxxx.com/mpweb"
通過測試樣例一可以得出,排除後端server問題,依然是代理錯誤。
通過elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group”根據這個報錯信息判斷是的 可以判斷出: openssl什麽版本
升級openssl以後
訪問正常
總結:nginx代理ssl時候,有兩種模式:
1、代理後端非ssl url
2、代理後端ssl url,此種方法一定註意openssl的版本,日誌會有詳細的說明,升級到最新的openssl版本再試。
本文出自 “歡迎光臨wenchy博客” 博客,請務必保留此出處http://wenchylinux.blog.51cto.com/1340633/1967624
nginx 1.10 代理https 釘一釘