环境:
centos6.5
nginx:1.10
openssl:1.0.1e-15
测试样例一:
web访问 https协议的URL https://test.xx.com/demo
nginx 开启证书配置,代理后端非安全协议的url,例如:http://xx.xx.com/xx
server {
listen 443;
server_name test.xxxx.com;
ssl on;
ssl_certificate /etc/nginx/key_file/xxxx.crt;
ssl_certificate_key /etc/nginx/key_file/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/test.access.log;
error_log /var/log/nginx/test.error.log;
index index.html index.htm index.php index.jsp;
location /demo{
proxy_pass http://x.x.x.x/demo;
proxy_redirect off;
client_max_body_size 8m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60s;
}
}
前端访问 https://test.xx.com/demo
这种模式在普通的后端server可以正常访问页面(数据转发之类的),但在负责多样式的页面调试会出现相关样式调用错误。
测试样例二:
web访问 https协议的URL https://test.xx.com/demo
nginx 开启证书配置,代理后端安全协议的url,例如:https://xx.xx.com/xx
server {
listen 443;
server_name test.xxxx.com;
ssl on;
ssl_certificate /etc/nginx/key_file/xxxx.crt;
ssl_certificate_key /etc/nginx/key_file/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/test.access.log;
error_log /var/log/nginx/test.error.log;
index index.html index.htm index.php index.jsp;
location /demo{
proxy_pass https://x.x.x.x/demo;
proxy_redirect off;
client_max_body_size 8m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60s;
}
}
这种模式比较消耗后端性能。
此时:后端server https://172.10.18.34:8443/mpweb访问正常,
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/07/21/wKiom1nDuA2BY-FsAAAlgKPRyJ4001.png-wh_500x0-wm_3-wmp_4-s_3108836126.png" title="bb.png" alt="wKiom1nDuA2BY-FsAAAlgKPRyJ4001.png-wh_50" />
前端访问 https://test.xxxx.com/demo报502 错误,查访问日志
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M02/A5/D2/wKioL1nDuJHTqAjAAABBznnagao501.jpg-wh_500x0-wm_3-wmp_4-s_1205990215.jpg" title="23.jpg" alt="wKioL1nDuJHTqAjAAABBznnagao501.jpg-wh_50" />
在代理与后端server之间的ssl协议会话的时候,出现一下错误:
[error] 7957#7957: *720292 SSL_do_handshake() failed (SSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib) while SSL handshaking to upstream, client: 650) this.width=650;" src="http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style="background-image:url("/e/u261/lang/zh-cn/images/localimage.png");background-position:center;background-repeat:no-repeat;border:1px solid rgb(221,221,221);" alt="spacer.gif" />x.x.x.x, server: 650) this.width=650;" src="http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style="background-image:url("/e/u261/lang/zh-cn/images/localimage.png");background-position:center;background-repeat:no-repeat;border:1px solid rgb(221,221,221);" alt="spacer.gif" />test.huiepay.com, request: "GET /favicon.ico HTTP/1.1", upstream: "650) this.width=650;" src="http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style="background-image:url("/e/u261/lang/zh-cn/images/localimage.png");background-position:center;background-repeat:no-repeat;border:1px solid rgb(221,221,221);" alt="spacer.gif" />https://172.10.18.34:8443/favicon.ico", host: "650) this.width=650;" src="http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style="background-image:url("/e/u261/lang/zh-cn/images/localimage.png");background-position:center;background-repeat:no-repeat;border:1px solid rgb(221,221,221);" alt="spacer.gif" />test.xxxx.com", referrer: "650) this.width=650;" src="http://blog.51cto.com/e/u261/themes/default/images/spacer.gif" style="background-image:url("/e/u261/lang/zh-cn/images/localimage.png");background-position:center;background-repeat:no-repeat;border:1px solid rgb(221,221,221);" alt="spacer.gif" />https://test.xxxx.com/mpweb"
通过测试样例一可以得出,排除后端server问题,依然是代理错误。
通过elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group”根据这个报错信息判断是的 可以判断出: openssl什么版本
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M01/07/21/wKiom1nDt7zQVre3AADBnHS2u2M627.jpg-wh_500x0-wm_3-wmp_4-s_400616500.jpg" title="aa.jpg" alt="wKiom1nDt7zQVre3AADBnHS2u2M627.jpg-wh_50" />
升级openssl以后
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/A5/D2/wKioL1nDuSvAGv_iAAAgX4NdPBQ770.png-wh_500x0-wm_3-wmp_4-s_775386185.png" title="21.png" alt="wKioL1nDuSvAGv_iAAAgX4NdPBQ770.png-wh_50" />
650) this.width=650;" src="/e/u261/themes/default/images/spacer.gif" style="background:url("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd;" alt="spacer.gif" />
访问正常
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/07/21/wKiom1nDua6jtTZgAAAfDdBcRI8968.jpg-wh_500x0-wm_3-wmp_4-s_3691773793.jpg" title="12.jpg" alt="wKiom1nDua6jtTZgAAAfDdBcRI8968.jpg-wh_50" />
总结:nginx代理ssl时候,有两种模式:
1、代理后端非ssl url
2、代理后端ssl url,此种方法一定注意openssl的版本,日志会有详细的说明,升级到最新的openssl版本再试。
本文出自 “欢迎光临wenchy博客” 博客,请务必保留此出处http://wenchylinux.blog.51cto.com/1340633/1967624
nginx 1.10 代理https ?钉一钉
原文地址:http://wenchylinux.blog.51cto.com/1340633/1967624