Nginx - 上游 SSL - SSL 握手中的对等关闭连接 [英] Nginx - Upstream SSL - peer closed connection in SSL handshake
问题描述
我收到此错误:
<块引用>错误前端:502 错误网关
99.110.244:443
2017/09/28 13:03:51 [错误] 34080#34080:*1062 对等关闭连接在 SSL 握手(104:对等连接重置)而 SSL 握手到上游,客户端:10.210.0.81,服务器:webshop.domain.be,请求:GET/HTTP/1.1",上游:https://10.1.10.61:443/", 主机:"webshop.domain.be"
配置:
# Zone voor 连接日志limit_conn_zone $binary_remote_addr zone=izSSL_webshop-api_CZ:10m;# 区域速率记录# Hoge 速率限制.x r/s 是 soms wat snel# 10 MB (10m) 将给我们足够的空间来存储 160k 请求的历史记录.limit_req_zone $binary_remote_addr zone=izSSL_webshop-api_RZ:10m rate=20r/s;上游 webshop_domain_be {服务器 webshop.domain.be:443;}服务器 {听 443 ssl;server_name webshop.domain.be 网店;client_max_body_size 80M;ssl_session_cache shared:webshopSSL:1m;ssl_session_timeout 10m;ssl_certificate/var/www/certs/webshop.domain.be/webshop.domain.be-chain.pem;ssl_certificate_key/var/www/certs/webshop.domain.be/webshop.domain.be-key.pem;ssl_verify_client 关闭;ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers RC4:HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers 开启;地点/{proxy_ssl_session_reuse 关闭;proxy_pass $scheme://webshop_domain_be;}}
nginx 版本:nginx/1.10.3 (Ubuntu)
其他服务器 (10.1.10.61) 是具有 相同证书的 IIS 服务器,正如我在此代理中使用的那样(对吗?).这不是 IIS 问题;并且代理服务器可以到达10.1.10.61/443端口
基于https://serverfault.com/questions/的配置583374/configure-nginx-as-reverse-proxy-with-upstream-ssl
我正在使用 Let's Encrypt 证书.
在 proxy_pass 对我有用之后添加这一行.
proxy_ssl_server_name on;
在此之前,我从这里 >
在REDHAT 7/CentOS 7/Oracle Linux 7 中:在您的环境中安装证书.
- 从/etc/pki 中的 https://letsencrypt.org/certificates/ 下载活动 PEM 证书/ca-trust/source/anchors
- 执行:sudo update-ca-trust
不确定是否需要最后两个步骤,但两者都对我有用.
干杯,
I am getting this error:
Error frontend: 502 Bad gateway
99.110.244:443
2017/09/28 13:03:51 [error] 34080#34080: *1062 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: 10.210.0.81, server: webshop.domain.be, request: "GET / HTTP/1.1", upstream: "https://10.1.10.61:443/", host: "webshop.domain.be"
Config:
# Zone voor connection logging
limit_conn_zone $binary_remote_addr zone=izSSL_webshop-api_CZ:10m;
# Zone voor rate logging
# Hoge rate limit. x r/s is soms wat snel
# 10 MB (10m) will give us enough space to store a history of 160k requests.
limit_req_zone $binary_remote_addr zone=izSSL_webshop-api_RZ:10m rate=20r/s;
upstream webshop_domain_be {
server webshop.domain.be:443;
}
server {
listen 443 ssl;
server_name webshop.domain.be webshop;
client_max_body_size 80M;
ssl_session_cache shared:webshopSSL:1m;
ssl_session_timeout 10m;
ssl_certificate /var/www/certs/webshop.domain.be/webshop.domain.be-chain.pem;
ssl_certificate_key /var/www/certs/webshop.domain.be/webshop.domain.be-key.pem;
ssl_verify_client off;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_ssl_session_reuse off;
proxy_pass $scheme://webshop_domain_be;
}
}
nginx version: nginx/1.10.3 (Ubuntu)
Other server (10.1.10.61) is an IIS Server with the same certificate as I'm using in this proxy (correct?). It's not an IIS problem; and the proxy server can reach 10.1.10.61 / port 443
Config based on https://serverfault.com/questions/583374/configure-nginx-as-reverse-proxy-with-upstream-ssl
I am using Let's Encrypt certificates.
Adding this line after the proxy_pass worked for me.
proxy_ssl_server_name on;
Before that I did this from here
In REDHAT 7/ CentOS 7/ Oracle Linux 7: Install the certificate in your enviroment.
- Download Active PEM certificate from: https://letsencrypt.org/certificates/ in /etc/pki/ca-trust/source/anchors
- Execute: sudo update-ca-trust
Not sure if those last 2 steps needed, but doing both worked for me.
Cheers,
这篇关于Nginx - 上游 SSL - SSL 握手中的对等关闭连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!