nginx流\u ssl\u预读模块无法读取ssl\u预读\u服务器\u名称
我正在尝试设置nginx,以便根据SNI服务器名称将TLS连接映射到不同的后端。据我所知,我的客户机正在发送服务器名称,但预读模块只读取一个连字符 这是我的nginx congif:nginx流\u ssl\u预读模块无法读取ssl\u预读\u服务器\u名称,ssl,nginx-config,sni,Ssl,Nginx Config,Sni,我正在尝试设置nginx,以便根据SNI服务器名称将TLS连接映射到不同的后端。据我所知,我的客户机正在发送服务器名称,但预读模块只读取一个连字符 这是我的nginx congif: stream { map_hash_bucket_size 64; ############################################################ ### logging log_format log_stream '$remote_ad
stream {
map_hash_bucket_size 64;
############################################################
### logging
log_format log_stream '$remote_addr [$time_local] $protocol [$ssl_preread_server_name] [$ssl_preread_alpn_protocols] [$instanceport] '
'$status $bytes_sent $bytes_received $session_time';
error_log /usr/home/glance/Logs/pservernginx.error.log info;
access_log /usr/home/glance/Logs/pservernginx.access.log log_stream;
############################################################
### ssl configuration
ssl_certificate /usr/home/glance/GlanceReleases/star.myglance.org.pem;
ssl_certificate_key /usr/home/glance/GlanceReleases/star.myglance.org.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
limit_conn_zone $binary_remote_addr zone=ip_addr:10m;
########################################################################
### Raw TLS PServer Connections
### Listen for TLS on 5501 and forward to TCP sock 6500 (socket port)
### https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
map $ssl_preread_server_name $instanceport {
presence.myglance.org 6500;
presence-1.myglance.org 6501;
presence-2.myglance.org 6502;
default glance-no-upstream-instance-configured;
}
server {
listen 5501 ssl;
ssl_preread on;
proxy_connect_timeout 20s; # max time to connect to pserver
proxy_timeout 30s; # max time between successive reads or writes
proxy_pass 127.0.0.1:$instanceport;
}
}
wireshark显示服务器名称标头:
nginx访问日志仅显示预读变量的连字符:
108.49.96.66 [12/Apr/2019:11:50:58 +0000] TCP [-] [-] [glance-no-upstream-instance-configured] 500 0 0 0.066
我正在FreeBSD上运行nginx1.14.2。如何调试预读模块中发生的事情
===================更新===============
打开调试日志记录。也许“”ssl预读:不是握手“是一个线索
2019/04/12 14:49:50 [info] 61420#0: *9 client 108.49.96.66:54740 connected to 0.0.0.0:5501
2019/04/12 14:49:50 [debug] 61420#0: *9 posix_memalign: 0000000801C35000:256 @16
2019/04/12 14:49:50 [debug] 61419#0: accept on 0.0.0.0:5501, ready: 1
2019/04/12 14:49:50 [debug] 61419#0: accept() not ready (35: Resource temporarily unavailable)
2019/04/12 14:49:50 [debug] 61420#0: *9 posix_memalign: 0000000801C35600:256 @16
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 0
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 1
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 tcp_nodelay
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_do_handshake: -1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_get_error: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 kevent set event: 5: ft:-1 fl:0025
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer add: 5: 60000:29203481224
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL handshake handler: 0
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_do_handshake: 1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer del: 5: 29203481224
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread handler
2019/04/12 14:49:50 [debug] 61420#0: *9 malloc: 0000000801CFF000:16384
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_read: -1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_get_error: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread handler
2019/04/12 14:49:50 [debug] 61420#0: *9 posix_memalign: 0000000801C35900:256 @16
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer add: 5: 30000:29203451252
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_read: 81
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_read: -1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_get_error: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread handler
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread: not a handshake
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer del: 5: 29203451252
2019/04/12 14:49:50 [debug] 61420#0: *9 proxy connection handler
2019/04/12 14:49:50 [debug] 61420#0: *9 malloc: 0000000801DF7000:400
2019/04/12 14:49:50 [debug] 61420#0: *9 malloc: 0000000801CD9000:16384
2019/04/12 14:49:50 [debug] 61420#0: *9 stream map started
2019/04/12 14:49:50 [debug] 61420#0: *9 stream map: "" "glance-no-upstream-instance-configured"
======================更新2======================
我使用
openssl s_client -connect ... -servername ...
而不是我的客户。现在,预读模块似乎在等待数据30秒时被阻止(错误代码2为“想要读取”):
我发现了问题:
listen 5501 **ssl**;
ssl_preread on;
listen指令中的ssl导致nginx服务器进行ssl握手。当预读模块收到通知时,握手字节已经被消耗,这与我看到的行为一致。在我的情况下,我仍然希望nginx卸载加密。因此,我创建了一组nginx服务器指令,以在传递到后端之前终止ssl连接。
这是我的nginx配置在修复后的相关部分。请注意,最后一个服务器指令(使用ssl_preread的指令)不会终止ssl连接
########################################################################
### TLS Connections
### Listen for TLS on 5501 and forward to TCP sock 6500 (socket port)
### https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
map $ssl_preread_server_name $instanceport {
presence.myglance.org 5502;
presence-1.myglance.org 5503;
presence-2.myglance.org 5504;
default glance-no-upstream-instance-configured;
}
server {
listen 5502 ssl;
ssl_preread off;
proxy_pass 127.0.0.1:6502;
}
server {
listen 5503 ssl;
ssl_preread off;
proxy_pass 127.0.0.1:6503;
}
server {
listen 5504 ssl;
ssl_preread off;
proxy_pass 127.0.0.1:6504;
}
server {
listen 5501;
ssl_preread on;
proxy_connect_timeout 20s; # max time to connect to pserver
proxy_timeout 30s; # max time between successive reads or writes
proxy_pass 127.0.0.1:$instanceport;
}
我发现了问题:
listen 5501 **ssl**;
ssl_preread on;
listen指令中的ssl导致nginx服务器进行ssl握手。当预读模块收到通知时,握手字节已经被消耗,这与我看到的行为一致。在我的情况下,我仍然希望nginx卸载加密。因此,我创建了一组nginx服务器指令,以在传递到后端之前终止ssl连接。
这是我的nginx配置在修复后的相关部分。请注意,最后一个服务器指令(使用ssl_preread的指令)不会终止ssl连接
########################################################################
### TLS Connections
### Listen for TLS on 5501 and forward to TCP sock 6500 (socket port)
### https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
map $ssl_preread_server_name $instanceport {
presence.myglance.org 5502;
presence-1.myglance.org 5503;
presence-2.myglance.org 5504;
default glance-no-upstream-instance-configured;
}
server {
listen 5502 ssl;
ssl_preread off;
proxy_pass 127.0.0.1:6502;
}
server {
listen 5503 ssl;
ssl_preread off;
proxy_pass 127.0.0.1:6503;
}
server {
listen 5504 ssl;
ssl_preread off;
proxy_pass 127.0.0.1:6504;
}
server {
listen 5501;
ssl_preread on;
proxy_connect_timeout 20s; # max time to connect to pserver
proxy_timeout 30s; # max time between successive reads or writes
proxy_pass 127.0.0.1:$instanceport;
}
如果您需要在listen指令中使用ssl,您只需在映射块中使用
$ssl\u server\u name
,而不是$ssl\u preread\u server\u name
如果您需要在listen指令中使用ssl,只需在映射块中使用
$ssl\u server\u name
,而不是$ssl\u preread\u server\u name
我似乎无法编辑自己的问题,但我打开了调试日志,可以看到服务器名称实际上是空的。也许“ssl预读:不是握手”是一个线索。。。2019/04/12 14:49:50[调试]61420#0:*9 ssl预读:不是握手。。。2019/04/12 14:49:50[debug]61420#0:*9流映射开始2019/04/12 14:49:50[debug]61420#0:*9流映射:““浏览未配置上游实例”我似乎无法编辑我自己的问题,但我打开了调试日志,可以看到服务器名称实际上是空的。也许“ssl预读:不是握手”是一个线索。。。2019/04/12 14:49:50[调试]61420#0:*9 ssl预读:不是握手。。。2019/04/12 14:49:50[调试]61420#0:*9流图开始2019/04/12 14:49:50[调试]61420#0:*9流图:““浏览未配置上游实例”您好,请发布您的配置好吗?我有完全相同的问题,我不知道怎么做。谢谢发帖-很抱歉耽搁了,希望对您有所帮助,您能发布您的配置吗?我有完全相同的问题,我不知道怎么做。谢谢已发布-抱歉延迟,希望能有所帮助