Nodejs 服务器的 Nginx 反向代理 SSL_ERROR_RX_RECORD_TOO_LONG
Posted
技术标签:
【中文标题】Nodejs 服务器的 Nginx 反向代理 SSL_ERROR_RX_RECORD_TOO_LONG【英文标题】:Nginx reverse proxy for Nodejs server SSL_ERROR_RX_RECORD_TOO_LONG 【发布时间】:2020-06-29 10:40:13 【问题描述】:我正在使用 AWS Beanstalk 配置一个多容器 docker 环境,以将我的 php Docker 应用程序与我的 NodeJS 服务器并行提供服务,并在端口 3000 上运行。
我有一个正在运行的 Express 服务器,正在侦听 端口 3000。我现在希望能够通过https://nodejs.my-domain.com:3000 调用我的NodeJS 服务器。 nginx 现在应该终止 SSL 连接并将所有流量转发到我的 NodeJS Express 服务器。
到目前为止,无论是否使用 https,我都可以成功访问我的 PHP 应用程序。我还可以通过http://nodejs.my-domain.com:3000 访问没有 SSL 的 NodeJS 应用程序。但是一旦我用 https 调用它,我就会收到 Broser 错误 SSL_ERROR_RX_RECORD_TOO_LONG。
Nginx 配置文件如下所示:
log_format healthd '$msec"$uri"'
'$status"$request_time"$upstream_response_time"'
'$http_x_forwarded_for';
upstream nodejs
server 127.0.0.1:3000;
keepalive 256;
server
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name nodejs.my-domain.com
ssl_certificate /etc/nginx/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
if ($time_iso8601 ~ "^(\d4)-(\d2)-(\d2)T(\d2)")
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
location /
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://nodejs;
proxy_redirect off;
server
listen 80;
listen [::]:80;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name localhost my-domain.com;
root /var/www/public;
ssl_certificate /etc/nginx/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
if ($time_iso8601 ~ "^(\d4)-(\d2)-(\d2)T(\d2)")
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
access_log /var/log/nginx/access.log main;
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
index index.php index.html index.htm;
if ($ssl_protocol = "")
rewrite ^ https://$host$request_uri? permanent;
location /
try_files $uri $uri/ /index.php?$args;
location ~ [^/]\.php(/|$)
try_files $uri =404;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_pass php:9000;
fastcgi_index index.php;
我不确定我需要注意哪些日志。以下是各种日志文件的一些输出:
我的access.log 看起来像这样:
XX.X.XXX.X - - [18/Mar/2020:12:12:12 +0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-"
XXX.XX.XX.XX - - [18/Mar/2020:12:27:09 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 zgrab/0.x" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:16 +0000] "GET http://example.com/ HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:17 +0000] "GET http://XXX.XXX.XXX.XXX/ HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:17 +0000] "GET http://[::XXXX:XXXXX:XXXXX]/ HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:17 +0000] "GET http://XXX.XXX.XXX.XXX/latest/dynamic/instance-identity/document HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:18 +0000] "GET http://[::XXXX:XXXXX:XXXXX]/latest/dynamic/instance-identity/document HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:18 +0000] "GET / HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:18 +0000] "GET / HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:19 +0000] "GET / HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:19 +0000] "GET /latest/dynamic/instance-identity/document HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:19 +0000] "GET /latest/dynamic/instance-identity/document HTTP/1.1" 502 157 "-" "AWS Security Scanner" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:20 +0000] "CONNECT X.XXX.XXX.XXX:80 HTTP/1.0" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:20 +0000] "CONNECT X.XXX.XXX.XXX:80 HTTP/1.0" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:20 +0000] "CONNECT X.XXX.XXX.XXX:80 HTTP/1.0" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:21 +0000] "CONNECT X.XXX.XXX.XXX:80 HTTP/1.0" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:21 +0000] "CONNECT X.XXX.XXX.XXX:80 HTTP/1.0" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:21 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\x11\xB9\xBB\xFD\xF6a\xD4\xAFQ\x1F\xC0\x99j\xFA#\xBCX\xF9A'\xC9\x00\xF9\x98K0\x88\xBA\xEA\xC0\x09\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:22 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\xD7\xED\xA5|\xF8u\xCA\x1C\xD17r\x8B1\xD5\x8F\xD07\x9C\xD7Y\x06h" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:22 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x033':\xC6\xE6\x90\xA8M" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:22 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03" 400 157 "-" "-" "-"
XX.XXX.XX.XXX - - [18/Mar/2020:12:54:23 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\xCB=\xFAi\xFA\x8F\x08\x1E\x98\xCEc\x19\x18\xDD\xA0\xAE\xC4\x18E\xFD\xC2z\xC3\x97\xB5\x97\xFEW\xC0\xA6~\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"
在我的error.log 中,我发现了以下内容:
2020/03/18 11:01:40 [warn] 1#1: "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/certs/nginx-selfsigned.crt"
2020/03/18 11:01:40 [warn] 1#1: "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/certs/nginx-selfsigned.crt"
2020/03/18 11:14:44 [warn] 1#1: "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/certs/nginx-selfsigned.crt"
2020/03/18 11:14:44 [warn] 1#1: "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/certs/nginx-selfsigned.crt"
我的 healthd 登录配置似乎也有问题。我的healthd/deamon.log中有很多这样的条目:
# Logfile created on 2020-03-17 20:33:13 +0000 by logger.rb/47272
A, [2020-03-17T20:33:14.155980 #2972] ANY -- : healthd daemon 1.0.3 initialized
W, [2020-03-17T20:33:14.249690 #2972] WARN -- : log file "/var/log/nginx/healthd/application.log.2020-03-17-20" does not exist
W, [2020-03-17T20:33:14.249690 #2972] WARN -- : log file "/var/log/nginx/healthd/application.log.2020-03-17-20" does not exist
[...]
A, [2020-03-17T20:34:03.782734 #4025] ANY -- : healthd daemon 1.0.3 initialized
W, [2020-03-17T20:34:03.858118 #4025] WARN -- : log file "/var/log/containers/nginx-proxy/healthd/application.log.2020-03-17-20" does not exist
W, [2020-03-17T20:34:03.858118 #4025] WARN -- : log file "/var/log/containers/nginx-proxy/healthd/application.log.2020-03-17-20" does not exist
[...]
【问题讨论】:
这些请求的 nginx 日志中有什么内容? 我在上面添加了一些关于我的日志输出的信息。 【参考方案1】:我找到了解决问题的方法。我错过了两件事:
-
我正在使用 Nginx 和 Nodejs 都在自己的容器中运行的多容器 docker 环境。为了让 Nginx 能够访问我的 Nodejs 服务器,我必须在 Nginx 和 Nodejs 之间创建一个链接。但是在我的配置文件中,我在 Nodejs 部分而不是 Nginx 部分中配置了链接。我现在将
"links": ["node"] 添加到我的 Dockerrun.aws.conf 中的 Nginx 部分,现在看起来像这样:
"AWSEBDockerrunVersion": 2,
"containerDefinitions": [
"name": "nginx-proxy",
"image": "MY_NGINX_IMAGE_ON_PRIVATE_REGISTRY",
"portMappings": [
"containerPort": 80,
"hostPort": 80
,
"containerPort": 443,
"hostPort": 443
],
"links": ["node"]
[...]
,
"name": "node",
"image": "MY_NODEJS_IMAGE_ON_PRIVATE_REGISTRY",
"portMappings": [
"containerPort": 3000,
"hostPort": 3000
]
[...]
]
[...]
-
除了将我的 Nginx 配置中的上游设置为
127.0.0.1:3000 之外,我还必须对我的 Nodejs docker 容器进行上游处理,我将其命名为 node:server node:3000。所以我的 /var/nginx/conf.d/default.conf 现在看起来像这样:
[...]
upstream nodejs
server node:3000;
keepalive 256;
server
listen 443 ssl;
server_name websockets.my-domain.com;
ssl_certificate /etc/letsencrypt/live/websockets.my-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/websockets.my-domain.com/privkey.pem;
[...]
location /
proxy_http_version 1.1;
proxy_set_header Upgrade $DOLLARhttp_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $DOLLARremote_addr;
proxy_set_header X-Forwarded-For $DOLLARproxy_add_x_forwarded_for;
proxy_set_header Host $DOLLARhttp_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://nodejs;
proxy_redirect off;
[...]
【讨论】:
【参考方案2】:请尝试将 TLS1.2 添加到支持的 TLS 协议列表中。
ssl_protocols TLSv1.2 TLSv1.3;
您可以使用 openssl cli 查看支持的 TLS 版本。
openssl s_client -connect my-domain.com:443 -tls1_2
如果您获得证书链和握手,则支持 TLS 版本。
我在我的 CentOS7 虚拟机上用一个简单的 nodejs 应用测试了你的配置:
upstream nodejs
server localhost:3000;
keepalive 256;
server
listen 443 http2 ssl default_server;
listen [::]:443 http2 ssl;
listen 80;
listen [::]:80;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES1$
ssl_prefer_server_ciphers off;
location /
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://nodejs;
curl -ivk https://localhost:443的输出
* About to connect() to localhost port 443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: O=Default Company Ltd,L=Default City,C=XX
* start date: Mar 02 08:28:49 2020 GMT
* expire date: Mar 02 08:28:49 2021 GMT
* common name: (nil)
* issuer: O=Default Company Ltd,L=Default City,C=XX
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.17.6
Server: nginx/1.17.6
< Date: Mon, 02 Mar 2020 08:55:02 GMT
Date: Mon, 02 Mar 2020 08:55:02 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 4
Content-Length: 4
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: Express
X-Powered-By: Express
< ETag: W/"4-5f2c/g6AOREdVLWI53srsMrUHDo"
ETag: W/"4-5f2c/g6AOREdVLWI53srsMrUHDo"
<
* Connection #0 to host localhost left intact
done
没有问题。我建议在调试模式下启动 nginx 以查看更详细的日志。
systemctl stop nginx.service && systemctl start nginx-debug.service
请注意:调试级别会创建巨大的日志文件。确保不要使用它的时间过长。
将此添加到您的配置中。
error_log /var/log/nginx/debug.log debug;
您使用的是哪个版本的 NGINX?
【讨论】:
同样的结果。在早期版本中,我还启用了ssl_protocols TLSv1 TLSv1.1 TLSv1.2。有同样的错误。您的命令的输出是:CONNECTED(00000003) depth=0 C = DE, ST = City, O = My Company, CN = my-domain.com verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, ST = City, O = My Company, CN = my-domain.com verify return:1
只是为了澄清:由于您的 NGINX 配置,您的代理服务器正在侦听端口 80 和 443。而不是 3000。这意味着如果您想通过代理访问您的 NodeJS 应用程序,您的地址类似于my-domain.com。端口 3000 是您的 NodeJS 应用程序。抱歉 - 在我的第一篇文章中错过了。你可以试试:curl -Iv my-domain.com。输出是什么?
好的,我做了curl -Iv https://my-domain.com:3000,它返回了curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol。
* Rebuilt URL to: https://my-domain.com:3000/ * Trying X.XXX.XXX.XXX... * TCP_NODELAY set * Connected to my-domain.com (X.XXX.XXX.XXX) port 3000 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Closing connection 0
不使用端口 3000。端口 3000(据我所知)是没有 NGINX 代理的 NodeJS 应用程序。你能 curl my-domain.com:443 并分享结果吗?以上是关于Nodejs 服务器的 Nginx 反向代理 SSL_ERROR_RX_RECORD_TOO_LONG的主要内容,如果未能解决你的问题,请参考以下文章
带有反向代理 Nginx 服务器和 nodejs 的 CORS 将不起作用
Nodejs 服务器的 Nginx 反向代理 SSL_ERROR_RX_RECORD_TOO_LONG