关于 nginx 反向代理, HTTP 正常, HTTPS 访问报 403 错误

2020-10-12 15:11:27 +08:00
 guanyujia5444
反向代理转发的是一个 JSP 的网址,在 HTTP 访问正常,HTTPS 带证书访问就会报 403 错误,而且证书没有问题,HTTPS 转发其他页面可以正常转发,下面是配置文件,大神指导下是否需要调整参数,谢谢!


#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;
tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

gzip on;

upstream ncc{
ip_hash;
server 10.0.3.21:9081 weight=10;
server 10.0.3.21:9082 weight=10;
server 10.0.3.21:9083 weight=10;
keepalive 300;
}


server {
listen 80;
server_name localhost;
index index.jsp;
location / {
allow all;
index index.jsp index.html;
proxy_pass http://ncc;
proxy_set_header Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100m;
client_body_buffer_size 256k;
proxy_buffering off;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 60;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_max_temp_file_size 128m;
}
}
server {
listen 443 ssl;
#error_page 497 301 =307 https://$host:443$request_uri;
server_name localhost;
ssl_certificate cert/piepchina.pem;
ssl_certificate_key cert/piepchina.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
allow all;
index index.jsp index.html;
proxy_pass http://ncc;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Cookie $http_cookie;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade-Insecure-Requests 1;
}
}

}
6166 次点击
所在节点    NGINX
44 条回复
guanyujia5444
2020-10-12 17:16:07 +08:00
访问的时候,没有任何相关错误日志,我认为是转发成功了,但后端服务拒绝了。
为啥 http 就正常访问,https 就被后端服务拒绝,这个地方有些疑问。

另外试了下,apache 使用 ajp 或者 http 反向代理转发都可行
guanyujia5444
2020-10-12 17:18:49 +08:00
@xuanbg 是加在那个标签中? http {}吗?
xuanbg
2020-10-12 17:23:54 +08:00
@guanyujia5444

server {
listen 443 ssl;
server_name api.i-facture.com;

ssl_certificate /opt/cert/api.i-facture.com.pem;
ssl_certificate_key /opt/cert/api.i-facture.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

set $ssl off;
if ($scheme = https) {
set $ssl on;
}
……
}
guanyujia5444
2020-10-12 17:55:01 +08:00
@xuanbg 谢谢,我试试
guanyujia5444
2020-10-12 17:59:00 +08:00
@xuanbg 还是不行
tuxz
2020-10-12 18:09:17 +08:00
贴下 access log
guanyujia5444
2020-10-12 18:24:24 +08:00
https://hr.xxxx.com.cn:8888/
这个是 https 的 access 日志
看着没有啥问题



192.168.100.210 - - [12/Oct/2020:17:10:35 +0800] "POST /nccloud/riart/login/init.do HTTP/1.1" 200 700 "http://192.168.100.225:81/nccloud/resources/uap/rbac/login/main/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:35 +0800] "GET /nccloud/resources/uap/public/img/picture.ico HTTP/1.1" 200 9662 "http://192.168.100.225:81/nccloud/resources/uap/rbac/login/main/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:36 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:37 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:38 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:38 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:38 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:39 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:10:39 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:58:19 +0800] "GET /nccloud HTTP/1.1" 302 5 "https://hr.xxxx.com.cn:8888/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:58:19 +0800] "GET /nccloud/ HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:58:20 +0800] "GET /favicon.ico HTTP/1.1" 400 657 "http://hr.xxxx.com.cn:8888/nccloud/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:58:33 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:17:58:35 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
192.168.100.210 - - [12/Oct/2020:18:06:18 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
dudu2017
2020-10-12 18:29:53 +08:00
建议开启 debug 日志看
error_log /path/to/log debug;
masker
2020-10-12 18:32:57 +08:00
那就看上游的日志啊
yongliu
2020-10-12 19:22:21 +08:00
access 日志可以看到反向代理这边应该是过了
看看后端为啥返回 403 吧
tsanie
2020-10-12 19:35:46 +08:00
说个题外话,其实我比较好奇已经采用 listen 443 ssl;方式监听了。为什么不把 http/https 写到同一个 server 中(如果 server_name 相同,要提供的内容又是一样的话)
server {
listen 80;
listen 443 ssl;
...
}
xuanbg
2020-10-12 21:17:04 +08:00
@guanyujia5444 你的证书是指定的 localhost ?
dany813
2020-10-13 09:36:06 +08:00
最后解决了吗
guanyujia5444
2020-10-13 13:31:58 +08:00
@yongliu 我也觉得是过了,应该是后端的问题,但后端为啥拒绝就不知道了,有啥能和 nginx 冲突的吗? apache 正常的
guanyujia5444
2020-10-13 13:32:39 +08:00
@xuanbg 指定的网址,我也通过网址访问的,应该是 nginx 已经转发了,但后端拒绝了
guanyujia5444
2020-10-13 13:33:06 +08:00
@dany813 没有解决,我慢慢调试吧
guanyujia5444
2020-10-13 13:34:08 +08:00
@tsanie 其实可以写一个里面,主要是为了调试方便,便于排查问题。
guanyujia5444
2020-10-13 13:35:25 +08:00
谢谢大家的帮助,我这边已经肯定是 nginx 已经成功转发了,但后端拒绝了证书的访问,同样的反向代理 apache 就正常,这是奇怪的点。
yongliu
2020-10-13 14:49:01 +08:00
@guanyujia5444 #34 后端没有日志打印吗?
Acoffice
2020-10-14 10:54:55 +08:00
也可能是 nginx 本身的问题,换个 nginx 版本试试.

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://tanronggui.xyz/t/714187

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX