20211026_阿里云服务器引流限制ssl的问题
1. 首先客户端反应配置自定义的ssl 7443端口不能访问了, 但是443, 8443, 9443都可以访问, 也就是说除了7443之外什么都可以访问
[root@xuexiao ~]# curl -I https://xxx.xxxxx.cn:7443 curl: (35) SSL received a record that exceeded the maximum permissible length. --这是个误导 [root@xuexiao ~]# wget https://xxxx.xxxxxx.cn:7443 --2021-10-26 10:21:58-- https://xxxx.xxxxxx.cn:7443/ 正在解析主机 fkzx.rakinda.cn (xxxx.xxxxxxx.cn)... 47.1.9.18 正在连接 fkzx.rakinda.cn (xxxxx.xxxxxxx.cn)|47.1.9.18|:7443... 已连接。
--这比较重要, 这里可以看到连接已经建立了, 但是没有返回 OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 无法建立 SSL 连接。 [root@xuexiao ~]# openssl s_client -connect 47.1.9.18:7443 -debug CONNECTED(00000003) write to 0x2214d90 [0x2262c10] (289 bytes => 289 (0x121)) ---这些不重要 0100 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03 ................ 0110 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................ 0120 - 01 . read from 0x2214d90 [0x2268170] (7 bytes => 7 (0x7)) 0000 - 48 54 54 50 2f 31 2e HTTP/1. 140541420005264:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: ... SSL-Session: Protocol : TLSv1.2 ... Verify return code: 0 (ok) --这里说明ssl是可以的 ---
2. 在postman上的报错
Error: write EPROTO 4244677912:error:10000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../third.party/boringssl/src/ssl/tls.record.cc:242:
3. nginx配置文件, 这个配置文件是没毛病的;
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$request_time"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #以$binary_remote_addr 为key,限制平均每秒的请求为150个 limit_req_zone $binary_remote_addr zone=allips:200m rate=150r/s; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; upstream server{ server 172.18.95.244:9091; server 172.18.95.244:9092; server 172.18.95.245:9093; } server { listen 9090; server_name fkzx.rakinda.cn; location / { proxy_pass http://server; root html; index index.html index.htm; } } server { listen 7443 ssl; server_name xxx.xxxx.cn; # ssl on; ssl_certificate /home/docker/nginx/ssl/6489833_xxx.xxxx.cn.pem; ssl_certificate_key /home/docker/nginx/ssl/6489833_xxx.xxxx.cn.key; location / { proxy_pass http://server; root html; index index.html index.htm; } } }
4. 情况是做等保之后突然发生的, 一直好好的, 原来是web防火墙给引流了, 找到web应用防火墙, 把端口删了, 或者关闭引流 就可以了;