我很难在ubuntu(v14)上运行的rails(3.2)/ unicorn应用程序前调试nginx(v1.4)_ssl客户端身份验证设置的问题。
AWS route 53和Ec2中的DNS和服务器设置。我有两个子域名
ca-uat.mydomain.com
uat.mydomain.com
uat.mydomain.com是非客户端身份验证并且工作正常,我可以访问rails app。如果我设置了nginx
ssl_verify_client optinal
我也可以访问rails应用程序。当我转向
ssl_verify_client on
我得到了
nginx http代理状态400" 400错误请求"
在错误调试日志中。它没有明确说明为什么会发生这种情况。我正在使用wget测试并通过证书,这似乎正在起作用......
wget 'https://ca-uat.mydomain.com/client-auth/sso-req' --no-check-certificate --certificate=/etc/ssl/nginx/uat-client.crt --private-key=/etc/ssl/nginx/uat-client.key
在调试日志中,我看到正在传递客户端证书,甚至nginx通过
标记已验证的成功标头`
proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
proxy_set_header X-CLIENT-VERIFY $ssl_client_verify;
`
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-CLIENT-VERIFY: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "SUCCESS"
这是400消息的日志片段,欢迎任何想法....
注意我已经谷歌搜索并读取这可能是大型http标头大小的b / c,但是在这里似乎并非如此,因为我添加了配置并且它没有帮助。
large_client_header_buffers 8 64k;
日志:
12014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req"
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream dummy handler
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D728
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req"
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream process header
2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C85480:4096
2014/08/19 21:40:07 [debug] 16978#0: *75 recv: fd:15 28 of 4096
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy status 400 "400 Bad Request"
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header done
2014/08/19 21:40:07 [debug] 16978#0: *75 xslt filter header
2014/08/19 21:40:07 [debug] 16978#0: *75 HTTP/1.1 400 Bad Request
Nginx配置:
upstream unicorn {
server unix:/home/deploy/mydomain/shared/sockets/unicorn.sock fail_timeout=0;
}
server {
listen 443 ssl;
server_name ca-uat.mydomain.com;
error_log /var/log/nginx/ca-error.log debug;
access_log /var/log/nginx/ca-access.log ;
ssl on;
ssl_certificate /etc/ssl/mydomain/mydomain.com.combined.crt;
ssl_certificate_key /etc/ssl/mydomain/mydomain.pem;
ssl_client_certificate /etc/ssl/mydomain/nginx/uat-ca.crt;
ssl_verify_client optional;
ssl_session_timeout 10m;
location / {
proxy_set_header X-SSL-CLIENT-CERT $ssl_client_cert;
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
proxy_set_header X-CLIENT-VERIFY $ssl_client_verify;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
large_client_header_buffers 8 64k;
keepalive_timeout 10;
}
完整日志:
2014/08/19 21:40:07 [debug] 16978#0: post event 0000000000C5D450
2014/08/19 21:40:07 [debug] 16978#0: delete posted event 0000000000C5D450
2014/08/19 21:40:07 [debug] 16978#0: accept on 0.0.0.0:443, ready: 0
2014/08/19 21:40:07 [debug] 16978#0: posix_memalign: 0000000000BF26E0:256 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 accept: 50.17.222.42 fd:14
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer add: 14: 60000:1408484467625
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 epoll add event: fd:14 op:1 ev:80000001
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 http check ssl handshake
2014/08/19 21:40:07 [debug] 16978#0: *75 http recv(): 1
2014/08/19 21:40:07 [debug] 16978#0: *75 https ssl handshake: 0x16
2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000BFBA10:256 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL server name: "ca-uat.caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_do_handshake: -1
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 2
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL handshake handler: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 verify:1, error:0, depth:1, subject:"/C=US/ST=NY/L=NYC/O=CareDox/OU=CareDoxUAT/CN=CareDoxUAT/emailAddress=ben@caredox.com",issuer: "/C=US/ST=NY/L=NYC/O=CareDox/OU=CareDoxUAT/CN=CareDoxUAT/emailAddress=ben@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 verify:1, error:0, depth:0, subject:"/C=NY/ST=NY/L=NYC/O=CareDox/OU=CareDoxClientUAT/CN=CareDoxClientUAT/emailAddress=ben@caredox.com",issuer: "/C=US/ST=NY/L=NYC/O=CareDox/OU=CareDoxUAT/CN=CareDoxUAT/emailAddress=ben@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_do_handshake: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 http wait request handler
2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C95150:1024
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: -1
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 2
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C95150
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 http wait request handler
2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C95150:1024
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: 201
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: -1
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 2
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C91B20:4096 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 http process request line
2014/08/19 21:40:07 [debug] 16978#0: *75 http request line: "GET /client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com HTTP/1.1"
2014/08/19 21:40:07 [debug] 16978#0: *75 http uri: "/client-auth/sso-req"
2014/08/19 21:40:07 [debug] 16978#0: *75 http args: "userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http exten: ""
2014/08/19 21:40:07 [debug] 16978#0: *75 http process request header line
2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "User-Agent: Wget/1.15 (linux-gnu)"
2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "Accept: */*"
2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "Host: ca-uat.caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http header: "Connection: Keep-Alive"
2014/08/19 21:40:07 [debug] 16978#0: *75 http header done
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer del: 14: 1408484467625
2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 rewrite phase: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 test location: "/client-auth/"
2014/08/19 21:40:07 [debug] 16978#0: *75 using configuration "/client-auth/"
2014/08/19 21:40:07 [debug] 16978#0: *75 http cl:-1 max:4294967296
2014/08/19 21:40:07 [debug] 16978#0: *75 rewrite phase: 3
2014/08/19 21:40:07 [debug] 16978#0: *75 post rewrite phase: 4
2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 5
2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 6
2014/08/19 21:40:07 [debug] 16978#0: *75 generic phase: 7
2014/08/19 21:40:07 [debug] 16978#0: *75 access phase: 8
2014/08/19 21:40:07 [debug] 16978#0: *75 access phase: 9
2014/08/19 21:40:07 [debug] 16978#0: *75 post access phase: 10
2014/08/19 21:40:07 [debug] 16978#0: *75 try files phase: 11
2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C92B30:4096 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 http init upstream, client timer: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 epoll add event: fd:14 op:3 ev:80000005
2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C84470:4096 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Real-IP: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "50.17.222.42"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Forwarded-For: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "50.17.222.42"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Forwarded-Proto: https
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-Real-IP: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "50.17.222.42"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-FORWARDED_PROTO: https
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-SSL-CLIENT-CERT: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "-----BEGIN CERTIFICATE-----
MIIDijCCAnICAQEwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlVTMQswCQYD
....
qhO0gNOKxEpF/vKAO3JQu7mRU6M3eWP8nsZG3H8vIXqKdWNjiXsZQQcpKbK8Og==
-----END CERTIFICATE-----"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-SSL-ClIENT-S-DN: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "/C=NY/ST=NY/L=NYC/O=CareDox/OU=CareDoxClientUAT/CN=CareDoxClientUAT/emailAddress=ben@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "X-CLIENT-VERIFY: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "SUCCESS"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "Host: "
2014/08/19 21:40:07 [debug] 16978#0: *75 http script var: "ca-uat.caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: "Connection: close
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: ""
2014/08/19 21:40:07 [debug] 16978#0: *75 http script copy: ""
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header: "User-Agent: Wget/1.15 (linux-gnu)"
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header: "Accept: */*"
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header:
"GET /client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com HTTP/1.0
X-Real-IP: 50.17.222.42
X-Forwarded-For: 50.17.222.42
X-Forwarded-Proto: https
X-Real-IP: 50.17.222.42
X-FORWARDED_PROTO: https
X-SSL-CLIENT-CERT: -----BEGIN CERTIFICATE-----
MIIDijCCAnICAQEwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAlVTMQswCQYD
....
qhO0gNOKxEpF/vKAO3JQu7mRU6M3eWP8nsZG3H8vIXqKdWNjiXsZQQcpKbK8Og==
-----END CERTIFICATE-----
X-SSL-ClIENT-S-DN: /C=NY/ST=NY/L=NYC/O=CareDox/OU=CareDoxClientUAT/CN=CareDoxClientUAT/emailAddress=ben@caredox.com
X-CLIENT-VERIFY: SUCCESS
Host: ca-uat.caredox.com
Connection: close
User-Agent: Wget/1.15 (linux-gnu)
Accept: */*
"
2014/08/19 21:40:07 [debug] 16978#0: *75 http cleanup add: 0000000000C84C60
2014/08/19 21:40:07 [debug] 16978#0: *75 get rr peer, try: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 socket 15
2014/08/19 21:40:07 [debug] 16978#0: *75 epoll add connection: fd:15 ev:80000005
2014/08/19 21:40:07 [debug] 16978#0: *75 connect to unix:/home/deploy/caredox/shared/sockets/unicorn.sock, fd:15 #76
2014/08/19 21:40:07 [debug] 16978#0: *75 connected
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream connect: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C010B0:128 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream send request
2014/08/19 21:40:07 [debug] 16978#0: *75 chain writer buf fl:1 s:1801
2014/08/19 21:40:07 [debug] 16978#0: *75 chain writer in: 0000000000C93B20
2014/08/19 21:40:07 [debug] 16978#0: *75 writev: 1801
2014/08/19 21:40:07 [debug] 16978#0: *75 chain writer out: 0000000000000000
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer add: 15: 60000:1408484467633
2014/08/19 21:40:07 [debug] 16978#0: *75 http finalize request: -4, "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com" a:1, c:2
2014/08/19 21:40:07 [debug] 16978#0: *75 http request count:2 blk:0
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C70D98
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D728
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C70F38
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C70F38
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream dummy handler
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D728
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream request: "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream process header
2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C85480:4096
2014/08/19 21:40:07 [debug] 16978#0: *75 recv: fd:15 28 of 4096
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy status 400 "400 Bad Request"
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy header done
2014/08/19 21:40:07 [debug] 16978#0: *75 xslt filter header
2014/08/19 21:40:07 [debug] 16978#0: *75 HTTP/1.1 400 Bad Request
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 19 Aug 2014 21:40:07 GMT
Transfer-Encoding: chunked
Connection: keep-alive
2014/08/19 21:40:07 [debug] 16978#0: *75 write new buf t:1 f:0 0000000000C84E98, pos 0000000000C84E98, size: 147 file: 0, size: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter: l:0 f:0 s:147
2014/08/19 21:40:07 [debug] 16978#0: *75 http cacheable: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 http proxy filter init s:400 h:0 c:0 l:-1
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream process upstream
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe read upstream: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe preread: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 readv: 1:4068
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe recv chain: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe buf free s:0 t:1 f:0 0000000000C85480, pos 0000000000C8549C, size: 0 file: 0, size: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe length: -1
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe write downstream: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 pipe write downstream done
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer: 15, old: 1408484467633, new: 1408484467634
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream exit: 0000000000000000
2014/08/19 21:40:07 [debug] 16978#0: *75 finalize http upstream request: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 finalize http proxy request
2014/08/19 21:40:07 [debug] 16978#0: *75 free rr peer 1 0
2014/08/19 21:40:07 [debug] 16978#0: *75 close http upstream connection: 15
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C010B0, unused: 48
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer del: 15: 1408484467633
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 http upstream temp fd: -1
2014/08/19 21:40:07 [debug] 16978#0: *75 http output filter "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http copy filter: "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 image filter
2014/08/19 21:40:07 [debug] 16978#0: *75 xslt filter body
2014/08/19 21:40:07 [debug] 16978#0: *75 http postpone filter "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com" 00007FFF2CDD4C10
2014/08/19 21:40:07 [debug] 16978#0: *75 http chunk: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 write old buf t:1 f:0 0000000000C84E98, pos 0000000000C84E98, size: 147 file: 0, size: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 write new buf t:0 f:0 0000000000000000, pos 00000000004A165A, size: 5 file: 0, size: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter: l:1 f:0 s:152
2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter limit 0
2014/08/19 21:40:07 [debug] 16978#0: *75 posix_memalign: 0000000000C95560:256 @16
2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C972F0:16384
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL buf copy: 147
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL buf copy: 5
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL to write: 152
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_write: 152
2014/08/19 21:40:07 [debug] 16978#0: *75 http write filter 0000000000000000
2014/08/19 21:40:07 [debug] 16978#0: *75 http copy filter: 0 "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com"
2014/08/19 21:40:07 [debug] 16978#0: *75 http finalize request: 0, "/client-auth/sso-req?userId=1234&parentLastName=Maisano&email=ben%2Bparent@caredox.com" a:1, c:1
2014/08/19 21:40:07 [debug] 16978#0: *75 set http keepalive handler
2014/08/19 21:40:07 [debug] 16978#0: *75 http close request
2014/08/19 21:40:07 [debug] 16978#0: *75 http log handler
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C85480
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C91B20, unused: 8
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C92B30, unused: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C84470, unused: 550
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C95150
2014/08/19 21:40:07 [debug] 16978#0: *75 hc free: 0000000000000000 0
2014/08/19 21:40:07 [debug] 16978#0: *75 hc busy: 0000000000000000 0
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C972F0
2014/08/19 21:40:07 [debug] 16978#0: *75 tcp_nodelay
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer add: 14: 10000:1408484417634
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C70D98
2014/08/19 21:40:07 [debug] 16978#0: *75 http empty handler
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 post event 0000000000C70D98
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C70D98
2014/08/19 21:40:07 [debug] 16978#0: *75 http empty handler
2014/08/19 21:40:07 [debug] 16978#0: *75 delete posted event 0000000000C5D588
2014/08/19 21:40:07 [debug] 16978#0: *75 http keepalive handler
2014/08/19 21:40:07 [debug] 16978#0: *75 malloc: 0000000000C95150:1024
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_read: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_get_error: 5
2014/08/19 21:40:07 [debug] 16978#0: *75 peer shutdown SSL cleanly
2014/08/19 21:40:07 [info] 16978#0: *75 client 50.17.222.42 closed keepalive connection
2014/08/19 21:40:07 [debug] 16978#0: *75 close http connection: 14
2014/08/19 21:40:07 [debug] 16978#0: *75 SSL_shutdown: 1
2014/08/19 21:40:07 [debug] 16978#0: *75 event timer del: 14: 1408484417634
2014/08/19 21:40:07 [debug] 16978#0: *75 reusable connection: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C95150
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000000000
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000BF26E0, unused: 0
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000BFBA10, unused: 16
2014/08/19 21:40:07 [debug] 16978#0: *75 free: 0000000000C95560, unused: 144
答案 0 :(得分:4)
我能够解决自己的问题,想发布这个,所以希望能帮助别人。这是一个令人讨厌的b / c它是一个复合问题,似乎是两个独立的问题。
将完整的证书上游传递给rails似乎导致400响应。这是关于大型http标题的内容,但我似乎无法通过增加来避免它。不确定rails app / unicorn是否需要调整。我最终不需要在应用程序级别的标头。所以在nginx配置中注释掉这个
此env在弹性负载均衡器(ELB)后面的AWS Ec2上托管。这是另一个问题,因为它不是TCP ELB而是常规HTTP级ELB,它在ELB处终止SSL,从而阻止了有效的双向SSL(客户端身份验证)。我最终配置了一个单独的EC2实例,仅用于支持客户端身份验证令牌发布。最后,我会在第二个实例的前面放置一个TCP级别的ELB,但如果这只是该服务器的工作,那么就不必大规模了。