时间戳

首页 > 解决方案 > SSL_do_handshake() 在 cloudflare 后面使用 nginx-proxy 失败

nginx - SSL_do_handshake() 在 cloudflare 后面使用 nginx-proxy 失败

问题描述

我现在在这个问题上挣扎了 2-3 天。我的问题是:从一个反向代理到另一个反向代理执行 proxy_pass 时出现“SSL_do_handshake() failed”。

我有一个看起来像这样的设置:

gcp VM 1 containers :
- nginx reverse proxy 1
- acme companion for ssl
- frontend website (local nginx)

gcp VM 2 containers :
- nginx reverse proxy 2
- acme companion for ssl
- backend nodejs

DNS server is done by cloudflare :
- frontend.website.com : "gcp VM 1" IP adress
- backend.nodejs.com : "gcp VM 2" IP adress

为避免 CORS 错误,“frontend.website.com”向“frontend.website.com/api”发出请求。“nginx 反向代理 1”具有此配置以重定向到后端:

location /api {
  proxy_pass https://backend.nodejs.com/api;
}

我在“nginx 反向代理 1”日志中得到的错误:

nginx.1     | 2021/10/22 11:10:53 [error] 283#283: *11287 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://172.67.155.25:443/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
nginx.1     | 2021/10/22 11:10:53 [warn] 283#283: *11287 upstream server temporarily disabled while SSL handshaking to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://172.67.155.25:443/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"
nginx.1     | 2021/10/22 11:10:53 [error] 283#283: *11287 no live upstreams while connecting to upstream, client: 2a01:e0a:4d0:4960:dc2e:8d3a:ba04:10a2, server: frontend.website.com, request: "POST /api HTTP/2.0", upstream: "https://backend.nodejs.com/api", host: "frontend.website.com", referrer: "https://frontend.website.com/"

注意:错误日志 172.67.155.25:443 中的 IP 不是 gcp VM 1 或 2 IP,我假设它是 Cloudflare IP?

我已经尝试过的事情:

DNS points to prohibited IP
What happened?

You've requested a page on a website (frontend.website.com) that is on the Cloudflare network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare's system.

What can I do?

If you are the owner of this website:
you should login to Cloudflare and change the DNS A records for frontend.website.com to resolve to a different IP address.

问题是 frontend.website.com 的 DNS A 记录很好(其他应用程序使用它没有问题)

我觉得应该与“backend.nodejs.com/api”进行ssl握手,但根据错误日志,它尝试改为对cloudflare IP地址进行握手(此处为172.67.155.25:443,但每次都不同)

我在这里错过了什么吗?可能是什么问题?

如果您需要任何其他信息,请随时提出要求。

标签: nginxsslcloudflarenginx-reverse-proxyjwilder-nginx-proxy

解决方案

推荐阅读