服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx + Apache2 +让iPhoneencryption不能显示页面
Intereting Posts
如何configurationSamba以允许root用户完全控制特定的共享? 如何从.tar文件恢复PostgreSQL数据库? IPTables不转发任何东西 Centos 5.5 – Apache使用的内存 Active Directory帐户是否过期? 将文件从远程SSH复制到本地,无需远程SSH客户端 MySQL:致命错误:无法打开和locking权限表:表'mysql.host'不存在 如何在slicehost上设置集市 在CentOS 6 / Plesk 10上发送大量邮件导致问题 MDADM重build PostGreSQL EDB是否提供节点之间的负载均衡(如Oracle RAC)? VMware Server和VMware Player之间的虚拟机镜像兼容性 可以将GlassFish或Payaraconfiguration为指定密码套件的服务器首选顺序? System Center Essentials 2010可以监控域和非域Windows Server吗? 活动目录 – 为整个组设置密码

Nginx + Apache2 +让iPhoneencryption不能显示页面

我有nginx + letsencrypt SSL证书,它的工作正常,除了新的iOS与Safari。 它适用于iPhone 4,但与iPhone 5和更新不是。

我在nginx日志中看到了多个请求: 

IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" ... and ends with 499 code IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 499 5998 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"

和Safari浏览器中的空白页面。

HTTP部分ngixnconfiguration: 

 ## # SSL Settings ## ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_session_cache shared:SSL:5m; ssl_session_timeout 1h;

域的SERVER部分: 

 listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; location / { proxy_pass http://localhost:40011/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }

Nginx与Apache 2.4.23一起使用 

 <VirtualHost localhost:40011> Protocols h2 http/1.1 AddDefaultCharset UTF-8 ServerName localhost ServerAdmin [email protected] DocumentRoot /var/www/domain.com/public DirectoryIndex index.php SetEnvIf X-Forwarded-Proto https HTTPS=on <Directory /var/www/domain.com/public> Order Allow,Deny Allow From All AllowOverride None Options FollowSymLinks </Directory> </VirtualHost>

而Apache日志包含相同的请求: 

 127.0.0.1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" ::1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" 127.0.0.1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" ::1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6121 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"

…在Safari仍然是空白页面。

这似乎不是SSL(或让我们encryption)的问题。 事实上,请求显示在您的日志文件certificate请求通过罚款(SSL握手完成之前实际的请求到达服务器)。

对于nginx http 499一点search表明,nginx使用这个(非官方的)返回码来指示客户端在nginx能够发送答案之前closures连接 。

最可能的原因是服务器上的脚本需要很长时间才能运行,客户端认为连接超时并closures连接。 这可以通过减less脚本允许运行的时间来解决(如果nginx支持这个,我知道可以用apache)。 当然这并不能解决实际问题,只会改变错误代码并将其报告给客户端。

如果原因是长时间运行的脚本,则必须在服务器端debugging脚本以确定哪部分需要这么长时间。

另一种可能性是,客户端是移动设备,可能会导致连接丢失。

Nginx无法通过h2协议代理Apache: 

 Protocols h2 http/1.1

删除这条线解决了这个问题,但我仍然不明白为什么它只是在设备的iOS 10设备。