NGINX 缓存代理失败,并显示 SSL23_GET_SERVER_HELLO:sslv3 警报握手失败 [英] NGINX caching proxy fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
问题描述
作为缓存代理的 NGINX 在通过 HTTPS 从 CloudFront 服务器获取内容时遇到问题:
NGINX acting as a caching proxy encounters problems when fetching content from CloudFront server over HTTPS:
这是 NGINX 错误日志的摘录:
This is the extract from the NGINX's error log:
2014/08/14 16:08:26 [错误] 27534#0:*11560993 SSL_do_handshake() 失败(SSL:错误:14077410:SSL 例程:SSL23_GET_SERVER_HELLO:sslv3 警告握手失败),同时上游客户端握手失败):82.33.49.135,服务器:本地主机,请求:GET/static/images/media-logos/best.png HTTP/1.1",上游:https://xxxx:443/static/images/media-logos/best.png",
2014/08/14 16:08:26 [error] 27534#0: *11560993 SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 82.33.49.135, server: localhost, request: "GET /static/images/media-logos/best.png HTTP/1.1", upstream: "https://x.x.x.x:443/static/images/media-logos/best.png",
我尝试了不同的代理设置,如 proxy_ssl_protocols 和 proxy_ssl_ciphers,但没有任何组合工作.
I tried different proxy setting like proxy_ssl_protocols and proxy_ssl_ciphers but no combination worked.
有什么想法吗?
推荐答案
我遇到了完全相同的问题,花了几个小时...我猜您使用的是旧版本的 nginx(低于 1.7)?在 nginx 1.7 中,您可以使用 该指令:
I had the exactly same problem and spent a couple of hours... I guess you are using older version of nginx (lower than 1.7)? In nginx 1.7 you can use this directive:
proxy_ssl_server_name on;
这将强制 nginx 使用 SNI此外,您应该设置 SSL 协议:
This will force nginx to use SNI Also, you should set the SSL protocols:
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
对于早期版本,您可以使用此补丁(但我无法验证它是否有效):
For earlier versions you may be able to use this patch (but I can't verify that that is working):
http://trac.nginx.org/nginx/ticket/229
2019 更新:您应该避免使用 TLSv1 和 TLSv1.1,并尽可能禁用它们.我会将它们留在答案中,因为它们对 SNI 仍然有效.
2019 Update: You should avoid TLSv1 and TLSv1.1 and disable them if possible. I'll leave them in the answer as they are still valid for SNI.
这篇关于NGINX 缓存代理失败,并显示 SSL23_GET_SERVER_HELLO:sslv3 警报握手失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!