Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
nginx流\u ssl\u预读模块无法读取ssl\u预读\u服务器\u名称_Ssl_Nginx Config_Sni - Fatal编程技术网
Fatal编程技术网
  • ssl/
  • nginx流\u ssl\u预读模块无法读取ssl\u预读\u服务器\u名称

nginx流\u ssl\u预读模块无法读取ssl\u预读\u服务器\u名称

ssl

nginx流\u ssl\u预读模块无法读取ssl\u预读\u服务器\u名称,ssl,nginx-config,sni,Ssl,Nginx Config,Sni,我正在尝试设置nginx,以便根据SNI服务器名称将TLS连接映射到不同的后端。据我所知,我的客户机正在发送服务器名称,但预读模块只读取一个连字符 这是我的nginx congif: stream { map_hash_bucket_size 64; ############################################################ ### logging log_format log_stream '$remote_ad

我正在尝试设置nginx,以便根据SNI服务器名称将TLS连接映射到不同的后端。据我所知,我的客户机正在发送服务器名称,但预读模块只读取一个连字符

这是我的nginx congif:

stream  {
    map_hash_bucket_size 64;

    ############################################################
    ### logging
    log_format log_stream '$remote_addr [$time_local] $protocol [$ssl_preread_server_name] [$ssl_preread_alpn_protocols] [$instanceport] '
        '$status $bytes_sent $bytes_received $session_time';

    error_log   /usr/home/glance/Logs/pservernginx.error.log info;
    access_log  /usr/home/glance/Logs/pservernginx.access.log log_stream;

    ############################################################
    ### ssl configuration

    ssl_certificate      /usr/home/glance/GlanceReleases/star.myglance.org.pem;
    ssl_certificate_key  /usr/home/glance/GlanceReleases/star.myglance.org.pem;

    ssl_protocols       TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5:!RC4;

    limit_conn_zone $binary_remote_addr zone=ip_addr:10m;

    ########################################################################
    ### Raw TLS PServer Connections
    ### Listen for TLS on 5501 and forward to TCP sock 6500 (socket port)

    ### https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
    map $ssl_preread_server_name $instanceport {
        presence.myglance.org      6500;
        presence-1.myglance.org    6501;
        presence-2.myglance.org    6502;
        default                    glance-no-upstream-instance-configured;
    }

    server {

        listen                  5501 ssl;
        ssl_preread             on;
        proxy_connect_timeout   20s;  # max time to connect to pserver
        proxy_timeout           30s;  # max time between successive reads or writes
        proxy_pass              127.0.0.1:$instanceport;
    }
}
wireshark显示服务器名称标头:

nginx访问日志仅显示预读变量的连字符:

108.49.96.66 [12/Apr/2019:11:50:58 +0000] TCP [-] [-] [glance-no-upstream-instance-configured] 500 0 0 0.066
我正在FreeBSD上运行nginx1.14.2。如何调试预读模块中发生的事情

===================更新=============== 打开调试日志记录。也许“”ssl预读:不是握手“是一个线索

2019/04/12 14:49:50 [info] 61420#0: *9 client 108.49.96.66:54740 connected to 0.0.0.0:5501
2019/04/12 14:49:50 [debug] 61420#0: *9 posix_memalign: 0000000801C35000:256 @16
2019/04/12 14:49:50 [debug] 61419#0: accept on 0.0.0.0:5501, ready: 1
2019/04/12 14:49:50 [debug] 61419#0: accept() not ready (35: Resource temporarily unavailable)
2019/04/12 14:49:50 [debug] 61420#0: *9 posix_memalign: 0000000801C35600:256 @16
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 0
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 1
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 tcp_nodelay
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_do_handshake: -1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_get_error: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 kevent set event: 5: ft:-1 fl:0025
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer add: 5: 60000:29203481224
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL handshake handler: 0
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_do_handshake: 1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer del: 5: 29203481224
2019/04/12 14:49:50 [debug] 61420#0: *9 generic phase: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread handler
2019/04/12 14:49:50 [debug] 61420#0: *9 malloc: 0000000801CFF000:16384
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_read: -1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_get_error: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread handler
2019/04/12 14:49:50 [debug] 61420#0: *9 posix_memalign: 0000000801C35900:256 @16
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer add: 5: 30000:29203451252
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_read: 81
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_read: -1
2019/04/12 14:49:50 [debug] 61420#0: *9 SSL_get_error: 2
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread handler
2019/04/12 14:49:50 [debug] 61420#0: *9 ssl preread: not a handshake
2019/04/12 14:49:50 [debug] 61420#0: *9 event timer del: 5: 29203451252
2019/04/12 14:49:50 [debug] 61420#0: *9 proxy connection handler
2019/04/12 14:49:50 [debug] 61420#0: *9 malloc: 0000000801DF7000:400
2019/04/12 14:49:50 [debug] 61420#0: *9 malloc: 0000000801CD9000:16384
2019/04/12 14:49:50 [debug] 61420#0: *9 stream map started
2019/04/12 14:49:50 [debug] 61420#0: *9 stream map: "" "glance-no-upstream-instance-configured"
======================更新2======================

我使用

openssl s_client -connect ... -servername ...
而不是我的客户。现在,预读模块似乎在等待数据30秒时被阻止(错误代码2为“想要读取”):

我发现了问题:

listen                  5501 **ssl**;
ssl_preread             on;
listen指令中的ssl导致nginx服务器进行ssl握手。当预读模块收到通知时,握手字节已经被消耗,这与我看到的行为一致。在我的情况下,我仍然希望nginx卸载加密。因此,我创建了一组nginx服务器指令,以在传递到后端之前终止ssl连接。 这是我的nginx配置在修复后的相关部分。请注意,最后一个服务器指令(使用ssl_preread的指令)不会终止ssl连接

########################################################################
### TLS Connections
### Listen for TLS on 5501 and forward to TCP sock 6500 (socket port)

### https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
map $ssl_preread_server_name $instanceport {
    presence.myglance.org      5502;
    presence-1.myglance.org    5503;
    presence-2.myglance.org    5504;
    default                    glance-no-upstream-instance-configured;
}

server {
    listen                 5502 ssl;
    ssl_preread            off;
    proxy_pass             127.0.0.1:6502;
}

server {
    listen                 5503 ssl;
    ssl_preread            off;
    proxy_pass             127.0.0.1:6503;
}

server {
    listen                 5504 ssl;
    ssl_preread            off;
    proxy_pass             127.0.0.1:6504;
}

server {
    listen                  5501;
    ssl_preread             on;
    proxy_connect_timeout   20s;  # max time to connect to pserver
    proxy_timeout           30s;  # max time between successive reads or writes
    proxy_pass              127.0.0.1:$instanceport;
}
我发现了问题:

listen                  5501 **ssl**;
ssl_preread             on;
listen指令中的ssl导致nginx服务器进行ssl握手。当预读模块收到通知时,握手字节已经被消耗,这与我看到的行为一致。在我的情况下,我仍然希望nginx卸载加密。因此,我创建了一组nginx服务器指令,以在传递到后端之前终止ssl连接。 这是我的nginx配置在修复后的相关部分。请注意,最后一个服务器指令(使用ssl_preread的指令)不会终止ssl连接

########################################################################
### TLS Connections
### Listen for TLS on 5501 and forward to TCP sock 6500 (socket port)

### https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
map $ssl_preread_server_name $instanceport {
    presence.myglance.org      5502;
    presence-1.myglance.org    5503;
    presence-2.myglance.org    5504;
    default                    glance-no-upstream-instance-configured;
}

server {
    listen                 5502 ssl;
    ssl_preread            off;
    proxy_pass             127.0.0.1:6502;
}

server {
    listen                 5503 ssl;
    ssl_preread            off;
    proxy_pass             127.0.0.1:6503;
}

server {
    listen                 5504 ssl;
    ssl_preread            off;
    proxy_pass             127.0.0.1:6504;
}

server {
    listen                  5501;
    ssl_preread             on;
    proxy_connect_timeout   20s;  # max time to connect to pserver
    proxy_timeout           30s;  # max time between successive reads or writes
    proxy_pass              127.0.0.1:$instanceport;
}

如果您需要在listen指令中使用ssl,您只需在映射块中使用
$ssl\u server\u name
,而不是
$ssl\u preread\u server\u name

如果您需要在listen指令中使用ssl,只需在映射块中使用
$ssl\u server\u name
,而不是
$ssl\u preread\u server\u name

我似乎无法编辑自己的问题,但我打开了调试日志,可以看到服务器名称实际上是空的。也许“ssl预读:不是握手”是一个线索。。。2019/04/12 14:49:50[调试]61420#0:*9 ssl预读:不是握手。。。2019/04/12 14:49:50[debug]61420#0:*9流映射开始2019/04/12 14:49:50[debug]61420#0:*9流映射:““浏览未配置上游实例”我似乎无法编辑我自己的问题,但我打开了调试日志,可以看到服务器名称实际上是空的。也许“ssl预读:不是握手”是一个线索。。。2019/04/12 14:49:50[调试]61420#0:*9 ssl预读:不是握手。。。2019/04/12 14:49:50[调试]61420#0:*9流图开始2019/04/12 14:49:50[调试]61420#0:*9流图:““浏览未配置上游实例”您好,请发布您的配置好吗?我有完全相同的问题,我不知道怎么做。谢谢发帖-很抱歉耽搁了,希望对您有所帮助,您能发布您的配置吗?我有完全相同的问题,我不知道怎么做。谢谢已发布-抱歉延迟,希望能有所帮助