如何找出Nginx用作http/2负载平衡器时为何返回400? [英] How to find out why Nginx return 400 while use it as http/2 load balancer?

问题描述

我自己实现了一个http/2代理，并且使用Nginx作为负载均衡器.

I'm implementing a http/2 proxy myself, and I'm using Nginx as load balancer.

当我将Nginx用作h2c负载均衡器时，它会起作用:

When I use Nginx as h2c load balancer, it works:

server {
    listen 8443 http2;

    location / {
        error_log /Users/jiajun/nginx_error_log.log debug;
        grpc_pass grpc://127.0.0.1:2017;
    }
}

运行它:

$ go run example/grpc_client/main.go
calling to 127.0.0.1:2019
2019/01/28 11:50:46 gonna call c.SayHello...
2019/01/28 11:50:46 Greeting: Hello world

Nginx访问日志为:

And Nginx access log is:

127.0.0.1 - - [28/Jan/2019:11:50:46 +0800] "POST /helloworld.Greeter/SayHello HTTP/2.0" 200 18 "-" "grpc-go/1.16.0" "-"

---

但是当我在SSL下提供它时，它不起作用:

---

But it does not work while I'm serving it under SSL:

server {
    listen 8443 ssl http2;
    ssl_certificate     /Users/jiajun/127.0.0.1.crt;
    ssl_certificate_key /Users/jiajun/127.0.0.1.key;

    location / {
        error_log /Users/jiajun/nginx_error_log.log debug;
        grpc_pass grpc://127.0.0.1:2017;
    }
}

运行它:

$ go run example/grpc_client/main.go
calling to 127.0.0.1:2019
2019/01/28 11:53:06 gonna call c.SayHello...
2019/01/28 11:53:06 could not greet: rpc error: code = Unavailable desc = transport is closing
exit status 1

而且，Nginx访问日志是:

And, Nginx access log is:

127.0.0.1 - - [28/Jan/2019:11:53:06 +0800] "PRI * HTTP/2.0" 400 157 "-" "-" "-"

---

所以我试图找出为什么在我使用SSL时它返回400的原因.但是，即使我已将日志级别设置为调试(并且已使用-with-debug 选项进行编译)，Nginx仍不会在错误日志中记录该过程.

---

So I'm trying to find out why it return a 400 while I'm using SSL. But Nginx does not record the process in error log even I've set log level to debug(and it had compiled with --with-debug option).

是否有调试的好主意?

推荐答案

当go客户端发送连接序言消息("PRI * HTTP/2.0"时，Nginx认为它不是在讲HTTP/2))，Nginx认为这是真实的消息.

Looks like Nginx doesn’t think it’s talking HTTP/2 as the go client is sending the connection preface message ("PRI * HTTP/2.0") which Nginx thinks is a real message.

可能的问题是Nginx没有在SSL/TLS握手中说明它通过ALPN(或更旧的NPN)支持HTTP/2.Nginx使用哪个版本的OpenSSL(或等效版本)?运行 nginx -V 进行查看.理想情况下，您希望1.0.2或更高版本支持ALPN.

The likely issue is that Nginx has not stated in the SSL/TLS handshake that it supports HTTP/2 via ALPN (or the older NPN). Which version of OpenSSL (or equivalent) was Nginx built with? Run nginx -V to see this. Ideally you want 1.0.2 or above to support ALPN.

还要检查您的SSL/TLS密码是否未使用禁止使用的一种密码HTTP/2 .如下所示的配置(由Mozilla SSL配置生成器生成的 )应确保首选正确的密码:

Also check that your SSL/TLS cipher is not using one of the ciphers forbidden for HTTP/2. Config like below (generated by the Mozilla SSL config generator) should ensure the right ciphers are preferred:

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

这篇关于如何找出Nginx用作http/2负载平衡器时为何返回400?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！