20211026_阿里云服务器引流限制ssl的问题
1. 首先客户端反应配置自定义的ssl 7443端口不能访问了, 但是443, 8443, 9443都可以访问, 也就是说除了7443之外什么都可以访问
[root@xuexiao ~]# curl -I https://xxx.xxxxx.cn:7443 curl: (35) SSL received a record that exceeded the maximum permissible length. --这是个误导 [root@xuexiao ~]# wget https://xxxx.xxxxxx.cn:7443 --2021-10-26 10:21:58-- https://xxxx.xxxxxx.cn:7443/ 正在解析主机 fkzx.rakinda.cn (xxxx.xxxxxxx.cn)... 47.1.9.18 正在连接 fkzx.rakinda.cn (xxxxx.xxxxxxx.cn)|47.1.9.18|:7443... 已连接。
--这比较重要, 这里可以看到连接已经建立了, 但是没有返回 OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 无法建立 SSL 连接。 [root@xuexiao ~]# openssl s_client -connect 47.1.9.18:7443 -debug CONNECTED(00000003) write to 0x2214d90 [0x2262c10] (289 bytes => 289 (0x121)) ---这些不重要 0100 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03 ................ 0110 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................ 0120 - 01 . read from 0x2214d90 [0x2268170] (7 bytes => 7 (0x7)) 0000 - 48 54 54 50 2f 31 2e HTTP/1. 140541420005264:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: ... SSL-Session: Protocol : TLSv1.2 ... Verify return code: 0 (ok) --这里说明ssl是可以的 ---
2. 在postman上的报错
Error: write EPROTO 4244677912:error:10000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../third.party/boringssl/src/ssl/tls.record.cc:242:
3. nginx配置文件, 这个配置文件是没毛病的;
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#以$binary_remote_addr 为key,限制平均每秒的请求为150个
limit_req_zone $binary_remote_addr zone=allips:200m rate=150r/s;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
upstream server{
server 172.18.95.244:9091;
server 172.18.95.244:9092;
server 172.18.95.245:9093;
}
server {
listen 9090;
server_name fkzx.rakinda.cn;
location / {
proxy_pass http://server;
root html;
index index.html index.htm;
}
}
server {
listen 7443 ssl;
server_name xxx.xxxx.cn;
# ssl on;
ssl_certificate /home/docker/nginx/ssl/6489833_xxx.xxxx.cn.pem;
ssl_certificate_key /home/docker/nginx/ssl/6489833_xxx.xxxx.cn.key;
location / {
proxy_pass http://server;
root html;
index index.html index.htm;
}
}
}
4. 情况是做等保之后突然发生的, 一直好好的, 原来是web防火墙给引流了, 找到web应用防火墙, 把端口删了, 或者关闭引流 就可以了;
浙公网安备 33010602011771号