V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
NGINX
NGINX Trac
3rd Party Modules
Security Advisories
CHANGES
OpenResty
ngx_lua
Tengine
在线学习资源
NGINX 开发从入门到精通
NGINX Modules
ngx_echo
guanyujia5444
V2EX  ›  NGINX

关于 nginx 反向代理, HTTP 正常, HTTPS 访问报 403 错误

  •  
  •   guanyujia5444 · 2020-10-12 15:11:27 +08:00 · 6049 次点击
    这是一个创建于 1505 天前的主题,其中的信息可能已经有所发展或是发生改变。
    反向代理转发的是一个 JSP 的网址,在 HTTP 访问正常,HTTPS 带证书访问就会报 403 错误,而且证书没有问题,HTTPS 转发其他页面可以正常转发,下面是配置文件,大神指导下是否需要调整参数,谢谢!


    #user nobody;
    worker_processes 1;

    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;

    #pid logs/nginx.pid;


    events {
    worker_connections 1024;
    }


    http {
    include mime.types;
    default_type application/octet-stream;

    #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    # '$status $body_bytes_sent "$http_referer" '
    # '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log logs/access.log main;

    sendfile on;
    tcp_nopush on;

    #keepalive_timeout 0;
    keepalive_timeout 65;

    gzip on;

    upstream ncc{
    ip_hash;
    server 10.0.3.21:9081 weight=10;
    server 10.0.3.21:9082 weight=10;
    server 10.0.3.21:9083 weight=10;
    keepalive 300;
    }


    server {
    listen 80;
    server_name localhost;
    index index.jsp;
    location / {
    allow all;
    index index.jsp index.html;
    proxy_pass http://ncc;
    proxy_set_header Host $http_host;
    proxy_set_header Cookie $http_cookie;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 100m;
    client_body_buffer_size 256k;
    proxy_buffering off;
    proxy_connect_timeout 1;
    proxy_send_timeout 30;
    proxy_read_timeout 60;
    proxy_buffer_size 256k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    proxy_temp_file_write_size 256k;
    proxy_max_temp_file_size 128m;
    }
    }
    server {
    listen 443 ssl;
    #error_page 497 301 =307 https://$host:443$request_uri;
    server_name localhost;
    ssl_certificate cert/piepchina.pem;
    ssl_certificate_key cert/piepchina.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
    allow all;
    index index.jsp index.html;
    proxy_pass http://ncc;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Cookie $http_cookie;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Upgrade-Insecure-Requests 1;
    }
    }

    }
    44 条回复    2021-09-16 23:25:11 +08:00
    Lockeysama
        1
    Lockeysama  
       2020-10-12 15:23:00 +08:00
    还是看访问日志吧
    engineercj
        2
    engineercj  
       2020-10-12 15:25:55 +08:00
    user root;
    whorusq
        3
    whorusq  
       2020-10-12 15:39:12 +08:00
    ssl on;
    bruce0
        4
    bruce0  
       2020-10-12 15:41:38 +08:00
    把错误 log 打开.看一下错误 log 这样最容易找到问题
    zunceng
        5
    zunceng  
       2020-10-12 16:05:00 +08:00
    443 和 80 的 配置都不一样

    Upgrade ? websocket ?
    simenet
        6
    simenet  
       2020-10-12 16:08:58 +08:00
    目录 权限不够
    guanyujia5444
        7
    guanyujia5444  
    OP
       2020-10-12 16:36:47 +08:00
    @Lockeysama 访问日志无任何报错,也就是说 nginx 正常转发了,但使用证书方式转发时候,后端应用拒绝了,不知道是不是应该在 nginx 配置文件上添加参数
    guanyujia5444
        8
    guanyujia5444  
    OP
       2020-10-12 16:38:13 +08:00
    @engineercj 不是这个问题,如果是这个问题,影响是全局的,不会 80 端口正常,443 不正常
    guanyujia5444
        9
    guanyujia5444  
    OP
       2020-10-12 16:39:41 +08:00
    @whorusq ssl on 的方式,已经淘汰了,现在都是这么用
    listen 443 ssl;
    Citrus
        10
    Citrus  
       2020-10-12 16:39:59 +08:00
    proxy_set_header Host $http_host;

    ssl 段没把 host 传过去啊
    guanyujia5444
        11
    guanyujia5444  
    OP
       2020-10-12 16:40:44 +08:00
    @zunceng 配置是有些不一样,我把 timeout 和 buffer 补上试试
    guanyujia5444
        12
    guanyujia5444  
    OP
       2020-10-12 16:41:58 +08:00
    @simenet 不是这个问题,这个是反向代理,不是作为本地 web 服务器
    guanyujia5444
        13
    guanyujia5444  
    OP
       2020-10-12 16:44:34 +08:00
    @Citrus 因为之前解决问题,有人说需要注释掉这条。。。我先补上

    下面这两条意义一致吗?

    # proxy_set_header Host $host:$server_port;
    # proxy_set_header Host $proxy_host;
    ctOS1H
        14
    ctOS1H  
       2020-10-12 16:49:45 +08:00
    日志
    oliverchen
        15
    oliverchen  
       2020-10-12 16:51:16 +08:00
    是上游根据 HOST “不合法”返回的 403 吧。试试在 ssl server 那块,也加上 `proxy_set_header Host $http_host;` 或者 `proxy_set_header Host $host;`
    zunceng
        16
    zunceng  
       2020-10-12 17:06:33 +08:00
    @guanyujia5444 你把 websocket 的配置 删掉试试 就是 Upgrade 相关的
    guanyujia5444
        17
    guanyujia5444  
    OP
       2020-10-12 17:09:05 +08:00
    @zunceng 这块不太懂,是删掉如下几条吗?

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Upgrade-Insecure-Requests 1;
    guanyujia5444
        18
    guanyujia5444  
    OP
       2020-10-12 17:11:11 +08:00
    @zunceng 已经注释掉这三条,还是不行的
    guanyujia5444
        19
    guanyujia5444  
    OP
       2020-10-12 17:13:54 +08:00
    最新的配置如下,依然是 http 的 81 可以访问,https 的 8888 端口无法访问,两个转发的后端服务都是一样的。
    转发的协议是 http 的。

    #user nobody;
    worker_processes 1;

    error_log logs/error.log;
    error_log logs/error.log notice;
    error_log logs/error.log info;

    #pid logs/nginx.pid;


    events {
    worker_connections 1024;
    }


    http {
    include mime.types;
    default_type application/octet-stream;

    #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    # '$status $body_bytes_sent "$http_referer" '
    # '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log logs/access.log main;

    sendfile on;
    tcp_nopush on;

    #keepalive_timeout 0;
    keepalive_timeout 65;

    gzip on;

    upstream ncc{
    ip_hash;
    server 192.168.100.241:9081 weight=10;
    server 192.168.100.241:9082 weight=10;
    keepalive 300;
    }



    server {
    listen 81;
    server_name localhost;
    index index.jsp;
    location / {
    allow all;
    index index.jsp index.html;
    proxy_pass http://ncc;
    proxy_set_header Host $http_host;
    proxy_set_header Cookie $http_cookie;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 100m;
    client_body_buffer_size 256k;
    proxy_buffering off;
    proxy_connect_timeout 1;
    proxy_send_timeout 30;
    proxy_read_timeout 60;
    proxy_buffer_size 256k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    proxy_temp_file_write_size 256k;
    proxy_max_temp_file_size 128m;
    }
    }
    server {
    listen 8888 ssl;
    #error_page 497 301 =307 https://$host:443$request_uri;
    server_name localhost;
    index index.jsp;
    ssl_certificate cert/2.pem;
    ssl_certificate_key cert/2.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
    allow all;
    index index.jsp index.html;
    proxy_pass http://ncc;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Cookie $http_cookie;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Upgrade-Insecure-Requests 1;
    client_max_body_size 100m;
    client_body_buffer_size 256k;
    proxy_buffering off;
    proxy_connect_timeout 1;
    proxy_send_timeout 30;
    proxy_read_timeout 60;
    proxy_buffer_size 256k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    proxy_temp_file_write_size 256k;
    proxy_max_temp_file_size 128m;
    }
    }
    }
    xuanbg
        20
    xuanbg  
       2020-10-12 17:14:36 +08:00
    加这几句:
    set $ssl off;
    if ($scheme = https) {
    set $ssl on;
    }
    guanyujia5444
        21
    guanyujia5444  
    OP
       2020-10-12 17:16:07 +08:00
    访问的时候,没有任何相关错误日志,我认为是转发成功了,但后端服务拒绝了。
    为啥 http 就正常访问,https 就被后端服务拒绝,这个地方有些疑问。

    另外试了下,apache 使用 ajp 或者 http 反向代理转发都可行
    guanyujia5444
        22
    guanyujia5444  
    OP
       2020-10-12 17:18:49 +08:00
    @xuanbg 是加在那个标签中? http {}吗?
    xuanbg
        23
    xuanbg  
       2020-10-12 17:23:54 +08:00
    @guanyujia5444

    server {
    listen 443 ssl;
    server_name api.i-facture.com;

    ssl_certificate /opt/cert/api.i-facture.com.pem;
    ssl_certificate_key /opt/cert/api.i-facture.com.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    set $ssl off;
    if ($scheme = https) {
    set $ssl on;
    }
    ……
    }
    guanyujia5444
        24
    guanyujia5444  
    OP
       2020-10-12 17:55:01 +08:00
    @xuanbg 谢谢,我试试
    guanyujia5444
        25
    guanyujia5444  
    OP
       2020-10-12 17:59:00 +08:00
    @xuanbg 还是不行
    tuxz
        26
    tuxz  
       2020-10-12 18:09:17 +08:00 via Android
    贴下 access log
    guanyujia5444
        27
    guanyujia5444  
    OP
       2020-10-12 18:24:24 +08:00
    https://hr.xxxx.com.cn:8888/
    这个是 https 的 access 日志
    看着没有啥问题



    192.168.100.210 - - [12/Oct/2020:17:10:35 +0800] "POST /nccloud/riart/login/init.do HTTP/1.1" 200 700 "http://192.168.100.225:81/nccloud/resources/uap/rbac/login/main/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:35 +0800] "GET /nccloud/resources/uap/public/img/picture.ico HTTP/1.1" 200 9662 "http://192.168.100.225:81/nccloud/resources/uap/rbac/login/main/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:36 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:37 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:38 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:38 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:38 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:39 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:10:39 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:58:19 +0800] "GET /nccloud HTTP/1.1" 302 5 "https://hr.xxxx.com.cn:8888/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:58:19 +0800] "GET /nccloud/ HTTP/1.1" 400 657 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:58:20 +0800] "GET /favicon.ico HTTP/1.1" 400 657 "http://hr.xxxx.com.cn:8888/nccloud/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:58:33 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:17:58:35 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    192.168.100.210 - - [12/Oct/2020:18:06:18 +0800] "GET /nccloud/ HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Edg/86.0.622.38"
    dudu2017
        28
    dudu2017  
       2020-10-12 18:29:53 +08:00 via iPhone
    建议开启 debug 日志看
    error_log /path/to/log debug;
    masker
        29
    masker  
       2020-10-12 18:32:57 +08:00 via Android
    那就看上游的日志啊
    yongliu
        30
    yongliu  
       2020-10-12 19:22:21 +08:00
    access 日志可以看到反向代理这边应该是过了
    看看后端为啥返回 403 吧
    tsanie
        31
    tsanie  
       2020-10-12 19:35:46 +08:00   ❤️ 1
    说个题外话,其实我比较好奇已经采用 listen 443 ssl;方式监听了。为什么不把 http/https 写到同一个 server 中(如果 server_name 相同,要提供的内容又是一样的话)
    server {
    listen 80;
    listen 443 ssl;
    ...
    }
    xuanbg
        32
    xuanbg  
       2020-10-12 21:17:04 +08:00
    @guanyujia5444 你的证书是指定的 localhost ?
    dany813
        33
    dany813  
       2020-10-13 09:36:06 +08:00
    最后解决了吗
    guanyujia5444
        34
    guanyujia5444  
    OP
       2020-10-13 13:31:58 +08:00
    @yongliu 我也觉得是过了,应该是后端的问题,但后端为啥拒绝就不知道了,有啥能和 nginx 冲突的吗? apache 正常的
    guanyujia5444
        35
    guanyujia5444  
    OP
       2020-10-13 13:32:39 +08:00
    @xuanbg 指定的网址,我也通过网址访问的,应该是 nginx 已经转发了,但后端拒绝了
    guanyujia5444
        36
    guanyujia5444  
    OP
       2020-10-13 13:33:06 +08:00
    @dany813 没有解决,我慢慢调试吧
    guanyujia5444
        37
    guanyujia5444  
    OP
       2020-10-13 13:34:08 +08:00
    @tsanie 其实可以写一个里面,主要是为了调试方便,便于排查问题。
    guanyujia5444
        38
    guanyujia5444  
    OP
       2020-10-13 13:35:25 +08:00
    谢谢大家的帮助,我这边已经肯定是 nginx 已经成功转发了,但后端拒绝了证书的访问,同样的反向代理 apache 就正常,这是奇怪的点。
    yongliu
        39
    yongliu  
       2020-10-13 14:49:01 +08:00
    @guanyujia5444 #34 后端没有日志打印吗?
    Acoffice
        40
    Acoffice  
       2020-10-14 10:54:55 +08:00
    也可能是 nginx 本身的问题,换个 nginx 版本试试.
    whorusq
        41
    whorusq  
       2020-10-14 17:30:59 +08:00
    @guanyujia5444 看来我的 nginx 版本该升级一波了
    whorusq
        42
    whorusq  
       2020-10-14 17:36:33 +08:00
    403 这个错误提示是权限问题应该没什么争议,我觉得还是从各方面的权限检查一遍,包括各级文件、文件夹、相关用户等
    之前遇到过子级目录看着权限一点问题没有,但是父级目录却没权限,导致同样提示 403 的问题,也折腾很长时间
    throns
        43
    throns  
       2020-11-04 18:06:16 +08:00
    我刚遇到了这个问题。我这边的情况是,nginx 服务反向代理 k8s (用了 nginx ingress ) 的服务,同样是 http 正常访问,https 的 get 请求也正常访问,但 https 的 post 请求失败,只报了 403,没有别的错误提示,我后来测了一下,用 postman 可以正常调用 post 请求,但浏览器调用失败,隐约觉得是跨域的问题,后来发现真的是,后端( gin ) AllowOrigins 只允许了 http,没有允许 https,后端加上之后就可以了,只是不知道为什么只报了 403,没有报跨域的提示。不知道是不是 gin-contrib/cors 的问题,还是整个链路比较长导致的问题。
    program9527
        44
    program9527  
       2021-09-16 23:25:11 +08:00
    给后面看到这个问题的人,如果你遇到同样的问题。请在 Nginx 的 http {} 或者 server{} 块中,添加如下配置:

    # 这一行如果不设置,对于某些 https 会出现报错
    proxy_ssl_server_name on;
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   4941 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 33ms · UTC 09:59 · PVG 17:59 · LAX 01:59 · JFK 04:59
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.