我使用nginx作为从IPv4到IPv6的NAT,这意味着它代理已经配置了SSL的服务器。这通常是有效的,但如果球童是上游,它似乎有问题。我在nginx日志中看到以下内容:
2019 - 09 - 29 00:01:22 [error] 231367#231367:* 1098403 SSL_do_handshake()失败(SSL:错误:14094438:SSL例程:ssl3_read_bytes:tlsv1 alert内部错误:SSL alert number 80)while SSL handshaking to upstream,client:CLIENT_IP,服务器:域,请求:"GET/HTTP/2.0",上行:"https://UPSTREAM_IPV6:443/",主机:“领域”
对于球童:
2019 - 01 - 19 00:00:00 {"level ":"debug","ts":1664404057.3207386,“记录器”:" tls。握手"," msg ":"没有与TLS ClientHello匹配的证书","server_name":"","远程":"[NAT_IPV6]:40410","标识符":" UPSTREAM_IPV6 "," cipher_suites ":[49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255]," cert_cache_fill ":0.0007," load_if_necessary ":true," obtain_if_necessary ":true," on_demand ":false} 9月29日00:二十七:37猫球童[450]:{"level ":" debug "," ts ":1664404057.3210196," logger ":" http. stdlib "," msg ":" http:来自[NAT_IPV6]的TLS握手错误:40410:“UPSTREAM_IPV6”没有可用的证书
nginx配置:
server {
listen 443;
server_name DOMAIN;
location / {
proxy_pass_header Authorization;
proxy_pass https://UPSTREAM_IPV6;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'Access-Control-Allow-Origin' '*';
proxy_http_version 1.1;
proxy_set_header Connection “”;
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
}
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}nginx版本:简体中文
caddy版本:v2.5.2
在我看来,要么是nginx没有正确转发主机,要么是caddy没有正确识别它,因为它似乎在搜索自己IP的证书。
1条答案
按热度按时间z31licg01#
这对我来说是一个陷阱:
答案来自here。