Проблема nginx и SSL
Behterev D.
maillist at itcall.ru
Fri Apr 24 22:20:50 MSD 2009
Здравствуйте.
Есть у кого соображения по теме?
Проблема - не могу настроить передачу https от nginxa к вышестоящему
веб-серверу Apache, nginx как фронт-енд, апаче - бэк-енд.
ОС: FreeBSD 7
Nginx установлен из порта nginx-0.7.52.
Если запрос https приходит напрямую на бэк-енд - все работает, если через
nginx - проблемы. В браузере - пустая страница. Лог:
2009/04/24 03:35:00 [debug] 77007#0: malloc: 08159000:10240
2009/04/24 03:35:00 [debug] 77007#0: malloc: 0815C000:10240
2009/04/24 03:35:00 [debug] 77007#0: malloc: 08301000:942080
2009/04/24 03:35:00 [debug] 77007#0: malloc: 0815F000:614400
2009/04/24 03:35:00 [debug] 77007#0: malloc: 08401000:614400
2009/04/24 03:35:00 [debug] 77007#0: kevent set event: 5: ft:-1 fl:0005
2009/04/24 03:35:00 [debug] 77007#0: kevent set event: 6: ft:-1 fl:0005
2009/04/24 03:35:00 [debug] 77007#0: kevent set event: 8: ft:-1 fl:0005
2009/04/24 03:35:00 [debug] 77007#0: worker cycle
2009/04/24 03:35:00 [debug] 77007#0: kevent timer: -1, changes: 3
2009/04/24 03:35:24 [debug] 77007#0: kevent events: 1
2009/04/24 03:35:24 [debug] 77007#0: kevent: 6: ft:-1 fl:0000 ff:00000000
d:1 ud:0815F03C
2009/04/24 03:35:24 [debug] 77007#0: accept on xx.xx.xx.xx:443, ready: 1
2009/04/24 03:35:24 [debug] 77007#0: malloc: 08136400:256
2009/04/24 03:35:24 [debug] 77007#0: *175 accept: 85.140.11.227 fd:7
2009/04/24 03:35:24 [debug] 77007#0: *175 event timer add: 7:
60000:3579203720
2009/04/24 03:35:24 [debug] 77007#0: *175 kevent set event: 7: ft:-1 fl:0025
2009/04/24 03:35:24 [debug] 77007#0: timer delta: 24481
2009/04/24 03:35:24 [debug] 77007#0: posted events 00000000
2009/04/24 03:35:24 [debug] 77007#0: worker cycle
2009/04/24 03:35:24 [debug] 77007#0: kevent timer: 60000, changes: 1
2009/04/24 03:35:24 [debug] 77007#0: kevent events: 1
2009/04/24 03:35:24 [debug] 77007#0: kevent: 7: ft:-1 fl:0020 ff:00000000
d:116 ud:0815F0B4
2009/04/24 03:35:24 [debug] 77007#0: *175 malloc: 0811E400:656
2009/04/24 03:35:24 [debug] 77007#0: *175 malloc: 0811FC00:1024
2009/04/24 03:35:24 [debug] 77007#0: *175 malloc: 08118000:4096
2009/04/24 03:35:24 [debug] 77007#0: *175 http check ssl handshake
2009/04/24 03:35:24 [debug] 77007#0: *175 https ssl handshake: 0x16
2009/04/24 03:35:24 [debug] 77007#0: *175 SSL_do_handshake: -1
2009/04/24 03:35:24 [debug] 77007#0: *175 SSL_get_error: 2
2009/04/24 03:35:24 [debug] 77007#0: timer delta: 3
2009/04/24 03:35:24 [debug] 77007#0: posted events 00000000
2009/04/24 03:35:24 [debug] 77007#0: worker cycle
2009/04/24 03:35:24 [debug] 77007#0: kevent timer: 59997, changes: 0
2009/04/24 03:35:25 [debug] 77007#0: kevent events: 1
2009/04/24 03:35:25 [debug] 77007#0: kevent: 7: ft:-1 fl:0020 ff:00000000
d:214 ud:0815F0B4
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL handshake handler: 0
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_do_handshake: 1
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL: SSLv3, cipher:
"DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1"
2009/04/24 03:35:25 [debug] 77007#0: *175 http process request line
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_read: -1
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_get_error: 2
2009/04/24 03:35:25 [debug] 77007#0: timer delta: 82
2009/04/24 03:35:25 [debug] 77007#0: posted events 00000000
2009/04/24 03:35:25 [debug] 77007#0: worker cycle
2009/04/24 03:35:25 [debug] 77007#0: kevent timer: 59915, changes: 0
2009/04/24 03:35:25 [debug] 77007#0: kevent events: 1
2009/04/24 03:35:25 [debug] 77007#0: kevent: 7: ft:-1 fl:0020 ff:00000000
d:437 ud:0815F0B4
2009/04/24 03:35:25 [debug] 77007#0: *175 http process request line
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_read: 404
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_read: -1
2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_get_error: 2
2009/04/24 03:35:25 [debug] 77007#0: *175 http request line: "GET /
HTTP/1.1"
2009/04/24 03:35:25 [debug] 77007#0: *175 http uri: "/"
2009/04/24 03:35:25 [debug] 77007#0: *175 http args: ""
2009/04/24 03:35:25 [debug] 77007#0: *175 http exten: ""
2009/04/24 03:35:25 [debug] 77007#0: *175 http process request header line
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Host: mail.domen.ru"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.8) Gecko/2009032609
Firefox/3.0.8"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept-Language:
ru,en-us;q=0.7,en;q=0.3"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept-Encoding:
gzip,deflate"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept-Charset:
windows-1251,utf-8;q=0.7,*;q=0.7"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Keep-Alive: 300"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Connection:
keep-alive"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Cache-Control:
max-age=0"
2009/04/24 03:35:25 [debug] 77007#0: *175 http header done
2009/04/24 03:35:25 [debug] 77007#0: *175 event timer del: 7: 3579203720
2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 0
2009/04/24 03:35:25 [debug] 77007#0: *175 test location: "/"
2009/04/24 03:35:25 [debug] 77007#0: *175 using configuration "/"
2009/04/24 03:35:25 [debug] 77007#0: *175 http cl:-1 max:1048576
2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 2
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "mail.domen.ru"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script regex:
"(www\.mail.domen\.ru|mail\.domen\.ru)"
2009/04/24 03:35:25 [notice] 77007#0: *175
"(www\.mail.domen\.ru|mail\.domen\.ru)" matches "mail.domen.ru", client:
85.140.11.227, server: mail.domen.ru, request: "GET / HTTP/1.1", host:
"mail.domen.ru"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script if
2009/04/24 03:35:25 [debug] 77007#0: *175 http script complex value
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "192.168.0.20/"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "/"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script set $perehod
2009/04/24 03:35:25 [debug] 77007#0: *175 post rewrite phase: 3
2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 4
2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 5
2009/04/24 03:35:25 [debug] 77007#0: *175 access phase: 6
2009/04/24 03:35:25 [debug] 77007#0: *175 access phase: 7
2009/04/24 03:35:25 [debug] 77007#0: *175 post access phase: 8
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "https://"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "192.168.0.20//"
2009/04/24 03:35:25 [debug] 77007#0: *175 http init upstream, client timer:
0
2009/04/24 03:35:25 [debug] 77007#0: *175 kevent set event: 7: ft:-2 fl:0025
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy:
"X-FORWARDED_PROTO: https
"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "Host: "
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "mail.domen.ru"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "
"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "X-Real-IP: "
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "85.140.11.227"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "
"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy:
"X-Forwarded-For: "
2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "85.140.11.227"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "
"
2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "Connection:
close
"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header: "User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.8) Gecko/2009032609
Firefox/3.0.8"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"Accept-Language: ru,en-us;q=0.7,en;q=0.3"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"Accept-Encoding: gzip,deflate"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header: "Cache-Control:
max-age=0"
2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"GET // HTTP/1.0
X-FORWARDED_PROTO: https
Host: mail.domen.ru
X-Real-IP: 85.140.11.227
X-Forwarded-For: 85.140.11.227
Connection: close
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.8)
Gecko/2009032609 Firefox/3.0.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Cache-Control: max-age=0
"
2009/04/24 03:35:25 [debug] 77007#0: *175 http cleanup add: 08118B5C
2009/04/24 03:35:25 [debug] 77007#0: resolve: "192.168.0.20"
2009/04/24 03:35:25 [debug] 77007#0: *175 name was resolved to 192.168.0.20
2009/04/24 03:35:25 [debug] 77007#0: resolve name done: 0
2009/04/24 03:35:25 [debug] 77007#0: *175 get rr peer, try: 1
2009/04/24 03:35:25 [debug] 77007#0: *175 socket 10
2009/04/24 03:35:25 [debug] 77007#0: *175 connect to 192.168.0.20:443, fd:10
#176
2009/04/24 03:35:25 [debug] 77007#0: *175 kevent set event: 10: ft:-1
fl:0025
2009/04/24 03:35:25 [debug] 77007#0: *175 kevent set event: 10: ft:-2
fl:0025
2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream connect: -2
2009/04/24 03:35:25 [debug] 77007#0: *175 event timer add: 10:
75000:3579218858
2009/04/24 03:35:25 [debug] 77007#0: timer delta: 53
2009/04/24 03:35:25 [debug] 77007#0: posted events 00000000
2009/04/24 03:35:25 [debug] 77007#0: worker cycle
2009/04/24 03:35:25 [debug] 77007#0: kevent timer: 75000, changes: 3
2009/04/24 03:35:25 [debug] 77007#0: kevent events: 2
2009/04/24 03:35:25 [debug] 77007#0: kevent: 7: ft:-2 fl:0020 ff:00000000
d:33396 ud:084010B4
2009/04/24 03:35:25 [debug] 77007#0: *175 http run request: "/?"
2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream check client, write
event:1, "/"
2009/04/24 03:35:25 [debug] 77007#0: kevent: 10: ft:-2 fl:0020 ff:00000000
d:43008 ud:084010F0
2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream request: "/?"
2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream send request handler
2009/04/24 03:35:25 [notice] 69512#0: signal 20 (SIGCHLD) received
2009/04/24 03:35:25 [alert] 69512#0: worker process 77007 exited on signal
11
2009/04/24 03:35:25 [debug] 69512#0: wake up
2009/04/24 03:35:25 [debug] 69512#0: reap children
2009/04/24 03:35:25 [debug] 69512#0: child: 0 77007 e:0 t:1 d:0 r:1 j:0
2009/04/24 03:35:25 [debug] 69512#0: channel 7:8
2009/04/24 03:35:25 [notice] 69512#0: start worker process 77078
2009/04/24 03:35:25 [debug] 69512#0: sigsuspend
2009/04/24 03:35:25 [debug] 77078#0: malloc: 0812A000:10240
2009/04/24 03:35:25 [debug] 77078#0: malloc: 08159000:10240
2009/04/24 03:35:25 [debug] 77078#0: malloc: 0815C000:10240
2009/04/24 03:35:25 [debug] 77078#0: malloc: 08301000:942080
2009/04/24 03:35:25 [debug] 77078#0: malloc: 0815F000:614400
2009/04/24 03:35:25 [debug] 77078#0: malloc: 08401000:614400
2009/04/24 03:35:25 [debug] 77078#0: kevent set event: 5: ft:-1 fl:0005
2009/04/24 03:35:25 [debug] 77078#0: kevent set event: 6: ft:-1 fl:0005
2009/04/24 03:35:25 [debug] 77078#0: kevent set event: 8: ft:-1 fl:0005
2009/04/24 03:35:25 [debug] 77078#0: worker cycle
2009/04/24 03:35:25 [debug] 77078#0: kevent timer: -1, changes: 3
Конфиг nginx'a:
worker_processes 1;
error_log /var/log/nginx/error.log debug;
pid nginx.pid;
events {
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
$request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server {
listen xx.xx.xx.xx:80;
# Директива задаёт имена виртуального сервера,
server_name domen.ru www.domen.ru
location / {
root /var/www/nginx;
index index.html index.htm;
if ($http_host ~* ^(www\.domen\.ru|domen\.ru)) {
set $perehod 192.168.0.20/$request_uri;
break;
}
proxy_pass http://$perehod;
client_max_body_size 100m;
client_body_buffer_size 128k;
include /usr/local/etc/nginx/proxy.conf;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/nginx;
}
}
# HTTPS server
#
server {
listen xx.xx.xx.xx:443;
server_name mail.domen.ru www.mail.domen.ru;
ssl on;
ssl_certificate /usr/local/etc/nginx/cert/server_www.crt;
ssl_certificate_key /usr/local/etc/nginx/cert/server_www.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2;
# ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-FORWARDED_PROTO https;
if ($http_host ~* (www\.mail.domen\.ru|mail\.domen\.ru)) {
set $perehod 192.168.0.20:443/$request_uri;
break;
}
proxy_pass https://$perehod <https://$perehod/> ;
include /usr/local/etc/nginx/proxy.conf ;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/nginx;
}
}
}
Спасибо за ответ.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx-ru/attachments/20090424/90d82099/attachment.html>
More information about the nginx-ru
mailing list