环境:
centos6.5
nginx:1.10
openssl:1.0.1e-15
测试样例一:
web访问 https协议的URL https://test.xx.com/demo
nginx 开启证书配置,代理后端非安全协议的url,例如:http://xx.xx.com/xx
server {
listen 443;
server_name test.xxxx.com;
ssl on;
ssl_certificate /etc/nginx/key_file/xxxx.crt;
ssl_certificate_key /etc/nginx/key_file/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/test.access.log;
error_log /var/log/nginx/test.error.log;
index index.html index.htm index.php index.jsp;
location /demo{
proxy_pass http://x.x.x.x/demo;
proxy_redirect off;
client_max_body_size 8m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60s;
}
}
前端访问 https://test.xx.com/demo
这种模式在普通的后端server可以正常访问页面(数据转发之类的),但在负责多样式的页面调试会出现相关样式调用错误。
测试样例二:
web访问 https协议的URL https://test.xx.com/demo
nginx 开启证书配置,代理后端安全协议的url,例如:https://xx.xx.com/xx
server {
listen 443;
server_name test.xxxx.com;
ssl on;
ssl_certificate /etc/nginx/key_file/xxxx.crt;
ssl_certificate_key /etc/nginx/key_file/xxxx.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/test.access.log;
error_log /var/log/nginx/test.error.log;
index index.html index.htm index.php index.jsp;
location /demo{
proxy_pass https://x.x.x.x/demo;
proxy_redirect off;
client_max_body_size 8m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60s;
}
}
这种模式比较消耗后端性能。
此时:后端server https://172.10.18.34:8443/mpweb访问正常,
前端访问 https://test.xxxx.com/demo报502 错误,查访问日志
在代理与后端server之间的ssl协议会话的时候,出现一下错误:
[error] 7957#7957: *720292 SSL_do_handshake() failed (SSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib) while SSL handshaking to upstream, client: 
x.x.x.x, server: test.huiepay.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://172.10.18.34:8443/favicon.ico", host: "test.xxxx.com", referrer: "https://test.xxxx.com/mpweb"
通过测试样例一可以得出,排除后端server问题,依然是代理错误。
通过elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group”根据这个报错信息判断是的 可以判断出: openssl什么版本
升级openssl以后
访问正常
总结:nginx代理ssl时候,有两种模式:
1、代理后端非ssl url
2、代理后端ssl url,此种方法一定注意openssl的版本,日志会有详细的说明,升级到最新的openssl版本再试。
本文出自 “欢迎光临wenchy博客” 博客,请务必保留此出处http://wenchylinux.blog.51cto.com/1340633/1967624
原文地址:http://wenchylinux.blog.51cto.com/1340633/1967624
