我正在configuration将用作反向代理的新的Nginx服务器。 我们有一个Apache和运行的Debian服务器。 在这个Apache服务器是HTTPS的唯一访问我想隐藏在代理后面的网站。
从代理到上游的连接Apache必须通过HTTPS(服务器位于不同的位置,而Apache只允许HTTPS访问)。
我的问题是从Nginx到Apache的连接失败。 通过HTTPS从浏览器到上游的正常连接没有问题。 从相同的代理连接到Nginx的上游工作。 当Nginx尝试连接上游Apache连接失败, 重新协商握手失败
从代理Nginx的日志(debugging级别)只说:
2016/04/07 15:51:08 [error] 5855#0: *1 upstream prematurely closed connection while reading response header from upstream, client: 94.113.97.9, server: procrastination.com, request: "GET / HTTP/1.1", upstream: "https://77.240.191.234:443/", host: "procrastination.com" 从Apache上游logging:
[Thu Apr 07 15:36:48 2016] [info] Initial (No.1) HTTPS request received for child 35 (server procrastination.com:443) [Thu Apr 07 15:36:48 2016] [debug] ssl_engine_kernel.c(421): [client 83.167.254.21] Reconfigured cipher suite will force renegotiation [Thu Apr 07 15:36:48 2016] [info] [client 83.167.254.21] Requesting connection re-negotiation [Thu Apr 07 15:36:48 2016] [debug] ssl_engine_kernel.c(764): [client 83.167.254.21] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Thu Apr 07 15:36:48 2016] [info] [client 83.167.254.21] Awaiting re-negotiation handshake [Thu Apr 07 15:36:58 2016] [error] [client 83.167.254.21] Re-negotiation handshake failed: Not accepted by client!?
代理服务器上的我的Nginx站点configuration:
server { listen 80; listen 443 ssl; server_name procrastination.com *.procrastination.com; ### # SSL ### ssl on; ssl_certificate /etc/ssl/localcerts/procrastination.com/fullchain.pem; ssl_certificate_key /etc/ssl/localcerts/procrastination.com/privkey.pem; ## # Logging Settings ## access_log /var/log/nginx/procrastination_proxy-access.log; error_log /var/log/nginx/procrastination_proxy-error.log debug; include /etc/nginx/snippets/common; include /etc/nginx/snippets/proxy_params; location / { proxy_pass https://brigita_https; proxy_ssl_name $host; } }
代理上nginx.conf的SSL相关部分:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
上游的Apache站点configuration:
<VirtualHost 77.240.191.234:80> ServerName procrastination.com ServerAlias *.procrastination.com DocumentRoot /var/www/procrastination-production/build/current/www php_value newrelic.appname /var/www/procrastination-production/build/current/www RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L] </VirtualHost> <VirtualHost 77.240.191.234:443> ServerName procrastination.com ServerAlias *.procrastination.com DocumentRoot /var/www/procrastination-production/build/current/www php_value newrelic.appname /var/www/procrastination-production/build/current/www SSLEngine On SSLCertificateFile /etc/apache2/ssl/ssl_procrastination_com.crt SSLCertificateKeyFile /etc/apache2/ssl/ssl_procrastination_com.key RewriteCond %{HTTP_HOST} !^www\..*$ RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L] </VirtualHost>
其他的Apacheconfiguration值是默认的。
任何想法可能是什么原因或在哪里寻找更多的诊断数据?
解决了!
问题出在Apache上游的SNI上。 Nginx没有传递正确的参数,Apache给他发了错误的证书。
您需要在Nginxconfiguration中设置proxy_ssl_server_name on 。
只是改变:
location / { proxy_pass https://brigita_https; proxy_ssl_name $host; }
至:
location / { proxy_pass https://brigita_https; proxy_ssl_name $host; proxy_ssl_server_name on; }