Ìáʾ£ºÎÄÕÂÇ°Ã沿·ÖÊǹØÓÚ nginx Ï https Á¬½Ó curl ÇëÇó±» reset µÄ´¦Àí¾Àú£¬²»Ïë¿´¿ÉÒÔÖ±½ÓÌøµ½×îºó¿´nginx¿ìËÙ¶¨Î»Òì³££¬½¨ÒéÊղأ¡
ÍøÕ¾ÉÏÏߺó£¬Ìí¼ÓÁËhttpsÖ¤Ê飬ä¯ÀÀÆ÷·ÃÎÊÕý³££¬Í¨¹ýcurlÇëÇó£¬ÇëÇó±»reset£¬ÈçÉÏͼ¡£
ÏÈ curl ÇëÇóͬÓòÃûÏÂhttpµÄurl£¬·µ»ØÕý³££¬ËµÃ÷Á½±ßÆðÂë80¶Ë¿ÚÍøÂçÕý³£
½Ó×ÅcurlÇëÇóÍøվͬ·þÎñÆ÷ÏÂÆäËûhttpsÓòÃû£¬·µ»ØÕý³££¬ËµÃ÷Á½±ß443¶Ë¿ÚÍøÂçÕý³£
ÄѵÀÊÇÖ¤ÊéÎÊÌ⣿²é¿´Ö¤Êéδµ½ÆÚ£¬Í¨¹ýmyssl.com²éѯ֤ÊéÏêÇ飬ûÓÐÎÊÌâ¡£
»³ÒɼÓÃÜÌ×¼þÅäÖÃÎļþ£¬Ìí¼Ó¼æÈÝÐÔ¸ü¸ßµÄ¼ÓÃÜÌ×¼þºó³¢ÊÔ£¬ÒÀÈ»ÎÞ¹û
¸½¼æÈÝÐÔ¼ÓÃÜÌ×¼þ£º
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"?
ÈÔÈ»ÎÞ¹ûºó£¬¾ö¶¨tcpdumpÁ½±ß×¥°ü£¬ÓÃwireshark·ÖÎö
´Ó·¢ÆðÇëÇóµ½ reset£¬×ܹý16¸ö°ü£¬¿´µ½ÊÇÁ½¶ËÎÕÊÖÍê³É£¬·¢ÆðÊý¾Ý´«ÊäÖ®ºó£¬¿ªÊ¼´«ÊäÊý¾ÝµÄµÚÒ»¸öÈ·ÈÏ°ü¾Í±» reset ÁË£¬°Ù˼²»µÃÆä½â
ÄѵÀÊÇ¿Í»§¶Ë·¢Ë͵ÄÊý¾ÝÌ«´ó£¬nginx µÄ buffer ²»¹»£¿
ÐÞ¸ÄÁËnginx¹ØÓÚclientµÄÏà¹ØÉèÖÃÈçÏ£º
client_header_buffer_size?64k;?large_client_header_buffers?4?64k;?client_body_buffer_size?20m;?keepalive_timeout?120;?
ÒòΪ´Ó×¥°ü¿´£¬»¹Ã»µ½fastcgi²¿·Ö£¬ËùÒÔ²»Ð޸ĹØÓÚfastcgiµÄbuffer²¿·ÖÅäÖÃ
Ð޸ĺó½á¹ûÈÔȻһÑù£¬Óе㷽ÁË
ËäȻ֪µÀÓ¦¸ÃºÍÖ¤Êé¹Øϵ²»´ó£¬µ«ÊÇ»¹ÊǾö¶¨¸ü»»Ò»¸öÖ¤Êé¿´¿´£¬ÒòΪ֮ǰÊÇRSAµÄÖ¤Ê飬ÄÇÎÒ»»¸öECCµÄÖ¤ÊéÊÔÊÔ£¨ÍƼöÆßÅ£ÔÆSSLÖ¤ÊéÉêÇ룬¿ÉÒÔÑ¡ÔñECCÖ¤Ê飩
»»¹ýÖ®ºóÓÐеķ¢ÏÖ
curl:?(35)?Cannot?communicate?securely?with?peer:?no?common?encryption?algorithm(s).?
ÎÞ·¨Óë¶ÔµÈÌ尲ȫͨÐÅ£ºÎÞͨÓüÓÃÜËã·¨
ÎÊÌâû½â¾ö£¬»¹³öÀ´ÐÂÎÊÌâÁË£¬²Â²âECCËã·¨¼æÈÝÐÔÎÊÌ⣬ͨ¹ýÒ»·¬googleÖ®ºó£¬Á˽⵽ÈçÏÂÐÅÏ¢£º
ÔÀ´Redhat/CentOS·þÎñÆ÷ÉÏcurlĬÈÏÊÇʹÓÃNSS¿âµÄ£¬¶øÔÚÕâÁ½¸öϵͳÉÏcurlĬÈÏÊǽûÓÃECC¼ÓÃܵģ¬ËäÈ»·þÎñ¶Ë¼ÓÃÜÌ×¼þÖ§³ÖECC£¬µ«ÊÇ¿Í»§¶Ë²»Ö§³Ö£¬ËùÒÔÇëÇóʧ°Ü£¬ÐèÒª¿Í»§¶Ëcurlͨ¹ýÖ¸¶¨¼ÓÃÜÌ×¼þÀ´ÇëÇó
curl?--ciphers?ecdhe_rsa_aes_128_gcm_sha_256?...?
Ö¸¶¨¼ÓÃÜÌ×¼þºó£¬Óֻص½Æðµã£¬ÈÔÈ»ÊÇÔÀ´µÄ´íÎ󣬿´À´ºÍÖ¤ÊéûÓйØϵ
û°ì·¨£¬×Ðϸ¶Ô±ÈÁËÆäËûÍøÕ¾µÄnginxÅäÖã¬Ã»Ê²Ã´²»Ò»Ñù£¬Ö»ÊÇûÓÐÅässl_session_cache£¬ÒÔÎҶԸòÎÊýµÄÁ˽⣬¸Ã²ÎÊýÖ»ÊÇ×÷ΪsslÓÅ»¯µÄÒ»¸öÅäÖã¬Æðµ½»º´æµÄ×÷Ó㬼õÉÙÎÕÊÖ´ÎÊý£¬µ«ÊÇÏÖÔÚÒѾ¡°Çî;ĩ·¡±ÁË£¬ÏÈÅäÉÏÔÙ˵
ÍòÍòûÏëµ½£¬ºÃÁË
ÒÖÖÆ×ÅÏëÒª³ÔäÌÑòÈâµÄÐÄÇ飬ÓÖÈ¥nginx¹ÙÍø²éÁËÏÂssl_session_cache²ÎÊýµÄ½âÊÍ
×ܽáÈçÏ£º
ssl_session_cacheÓÐ4¸ö¿ÉÑ¡²ÎÊý
ÑϽûʹÓÃsession»º´æ£ºnginxÃ÷È·¸æËß¿Í»§¶Ësession¿ÉÄܲ»»á±»ÖØÓÃ
session»º´æµÄʹÓñ»½ûÖ¹£ºnginx¸æËß¿Í»§¶Ësession¿ÉÄܻᱻÖØÓ㬵«Êµ¼ÊÉϲ¢²»»á½«session²ÎÊý´æ´¢ÔÚ»º´æÖÐ
ÔÚOpenSSLÖй¹½¨µÄ»º´æ£»½öÓÉÒ»¸ö¹¤×÷½ø³ÌʹÓ᣻º´æ´óСÔÚsessionÖÐÖ¸¶¨¡£Èç¹ûûÓиø³ö´óС£¬ÔòµÈÓÚ20480¸ö»á»°¡£Ê¹ÓÃÄÚÖøßËÙ»º´æ¿ÉÄܵ¼ÖÂÄÚ´æËéƬ
ËùÓй¤×÷½ø³ÌÖ®¼ä¹²Ïí»º´æ¡£»º´æ´óСÒÔ×Ö½ÚΪµ¥Î»Ö¸¶¨£»Ò»Õ××Ö½Ú¿ÉÒÔ´æ´¢´óÔ¼4000¸ösession¡£Ã¿¸ö¹²Ïí»º´æ¶¼Ó¦¸ÃÓÐÒ»¸öÈÎÒâÃû³Æ¡£¾ßÓÐÏàͬÃû³ÆµÄ»º´æ¿ÉÒÔÓÃÓÚ¶à¸öÐéÄâ·þÎñÆ÷
·´Õý¾ÍÊÇ£¬ÄãÒª×ö»º´æµÄ»°£¬¾ÍÁ½¸ö²ÎÊý£¬builtinºÍshared£¬¶øÇÒÕâÁ½¸ö²ÎÊý¿ÉÒÔͬʱ¿ªÆô£¬µ«Êǽ¨ÒéֻʹÓÃshared£¬ÐÔÄÜÒª¸ü¸ßһЩ
µ«ÊÇ¿´ÍêÎÒÈÔÈ»Àí½â²»ÁË£¬ÎªÊ²Ã´¼ÓÁËÕâ¸ö²ÎÊý£¬curl¾Í²»±¨resetÁË£¬ÓÚÊÇÎÒÔÙ´Î×¥°ü¶Ô±È²¢ºÍ֮ǰµÄ×ö¶Ô±È
ÔÚÊý¾Ý´«Êä֮ǰ£¬³ýÁËûÓÐ×öServer Key ExchangeÍ⣬ÆäËûûÓÐÈκβ»Í¬
(resetµÄÁ¬½Ó¹ý³ÌÖУ¬¶àÁËServer Key Exchange)£¬Í¨¹ýgoogle²éѯ£¬°Ý¶ÁÁË´óÉñµÄÎÄÕ¡¶Winreshark×¥°üÀí½âHTTPSÇëÇóÁ÷³Ì¡·Á˽⵽£¬ÃÜÔ¿½»»»½×¶Î£¬Õâ¸ö²½ÖèÊÇ¿ÉÑ¡²½Ö裬¶Ô Certificate ½×¶ÎµÄ²¹³ä£¬Ö»ÓÐÔÚÕ⼸¸ö³¡¾°´æÔÚ£º
¿ÉÒÔ´Ó°üÀï¿´µ½£¬ÊÇÐÉÌʹÓÃDiffie-HellmanËã·¨
·ÖÎöµ½ÕâÀÎÒÈÔÈ»²»ÖªµÀΪʲôssl_session_cache²ÎÊý»áÓ°Ïìµ½curlµÄÇëÇó£¬ÎÞÄÎÖ»ÄÜÕâÑùÁË£¬ÕâÀïÓдóÉñÁ˽âµÄ£¬ÇëÁôÑÔ¸æÖªÎÒ£¬¸Ð¼¤ÌéÁã¡£
ÏÂÃæÕûÀíÁËnginxÈÕÖ¾Öг£¼ûµÄ error ÈÕÖ¾
1.¡±upstream prematurely£¨¹ýÔçµÄ£© closed connection¡±
ÇëÇóuriµÄʱºò³öÏÖµÄÒì³££¬ÊÇÓÉÓÚupstream»¹Î´·µ»ØÓ¦´ð¸øÓû§Ê±Óû§¶ÏµôÁ¬½ÓÔì³ÉµÄ£¬¶ÔϵͳûÓÐÓ°Ï죬¿ÉÒÔºöÂÔ
2.¡±recv() failed (104: Connection reset by peer)¡±
£¨1£©·þÎñÆ÷µÄ²¢·¢Á¬½ÓÊý³¬¹ýÁËÆä³ÐÔØÁ¿£¬·þÎñÆ÷»á½«ÆäÖÐһЩÁ¬½ÓDownµô£» £¨2£©¿Í»§¹ØµôÁËä¯ÀÀÆ÷£¬¶ø·þÎñÆ÷»¹ÔÚ¸ø¿Í»§¶Ë·¢ËÍÊý¾Ý£» £¨3£©ä¯ÀÀÆ÷¶Ë°´ÁËStop
3.¡±(111: Connection refused) while connecting to upstream¡±
Óû§ÔÚÁ¬½Óʱ£¬ÈôÓöµ½ºó¶Ëupstream¹Òµô»òÕß²»Í¨£¬»áÊÕµ½¸Ã´íÎó
4.¡±(111: Connection refused) while reading response header from upstream¡±
Óû§ÔÚÁ¬½Ó³É¹¦ºó¶ÁÈ¡Êý¾Ýʱ£¬ÈôÓöµ½ºó¶Ëupstream¹Òµô»òÕß²»Í¨£¬»áÊÕµ½¸Ã´íÎó
5.¡±(111: Connection refused) while sending request to upstream¡±
NginxºÍupstreamÁ¬½Ó³É¹¦ºó·¢ËÍÊý¾Ýʱ£¬ÈôÓöµ½ºó¶Ëupstream¹Òµô»òÕß²»Í¨£¬»áÊÕµ½¸Ã´íÎó
6.¡±(110: Connection timed out) while connecting to upstream¡±
nginxÁ¬½ÓºóÃæµÄupstreamʱ³¬Ê±
7.¡±(110: Connection timed out) while reading upstream¡±
nginx¶ÁÈ¡À´×ÔupstreamµÄÏìӦʱ³¬Ê±
8.¡±(110: Connection timed out) while reading response header from upstream¡±
nginx¶ÁÈ¡À´×ÔupstreamµÄÏìӦͷʱ³¬Ê±
9.¡±(110: Connection timed out) while reading upstream¡±
nginx¶ÁÈ¡À´×ÔupstreamµÄÏìӦʱ³¬Ê±
10.¡±(104: Connection reset by peer) while connecting to upstream¡±
upstream·¢ËÍÁËRST£¬½«Á¬½ÓÖØÖÃ
11.¡±upstream sent invalid header while reading response header from upstream¡±
upstream·¢Ë͵ÄÏìӦͷÎÞЧ
12.¡±upstream sent no valid HTTP/1.0 header while reading response header from upstream¡±
upstream·¢Ë͵ÄÏìӦͷÎÞЧ
13.¡±client intended to send too large body¡±
ÓÃÓÚÉèÖÃÔÊÐí½ÓÊܵĿͻ§¶ËÇëÇóÄÚÈݵÄ×î´óÖµ£¬Ä¬ÈÏÖµÊÇ1M£¬client·¢Ë͵Äbody³¬¹ýÁËÉèÖÃÖµ
14.¡±reopening logs¡±
Óû§·¢ËÍkill ?-USR1ÃüÁî
15.¡±gracefully shutting down¡±
Óû§·¢ËÍkill ?-WINCHÃüÁî
16.¡±no servers are inside upstream¡±
upstreamÏÂδÅäÖÃserver
17.¡±no live upstreams while connecting to upstream¡±
upstreamϵÄserverÈ«¶¼¹ÒÁË
18.¡±SSL_do_handshake() failed¡±
SSLÎÕÊÖʧ°Ü
19.¡±ngx_slab_alloc() failed: no memory in SSL session shared cache¡±
ssl_session_cache´óС²»¹»µÈÔÒòÔì³É
20.¡±could not add new SSL session to the session cache while SSL handshaking¡±
ssl_session_cache´óС²»¹»µÈÔÒòÔì³É
ÁìȡרÊô 10ÔªÎÞÃż÷ȯ
˽Ïí×îР¼¼Êõ¸É»õ