我尝试使用Cloudflare在docker容器上部署我的nginx。
搬运工-compose.yml
version: "3.5"
services:
nginx:
image: xxx/panel-nginx:VERSION
volumes:
- type: volume
source: panel_nginx_certs
target: /etc/nginx/certs
ports:
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- panel_nginx
stop_grace_period: 1m
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 180s
restart_policy:
condition: on-failure
networks:
panel_nginx:
external: true
volumes:
panel_nginx_certs:
external: true
nginx.conf
upstream panel-uwsgi {
server panel_app:8000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name panel.xxx.com;
ssl_certificate /etc/nginx/certs/panel.pem;
ssl_certificate_key /etc/nginx/certs/panel.key;
location / {
include uwsgi_params;
uwsgi_pass panel-uwsgi;
}
# location /media/ {
# root /usr/share/nginx/html;
# try_files $uri $uri/;
# access_log off;
# expires 30d;
# }
location /static/ {
access_log off;
expires 30d;
}
location = /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
# error_page 404 /404.html;
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
}
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305";
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:12m;
ssl_session_tickets off;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/certs/cloudflare_origin_ecc.pem;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_names_hash_bucket_size 64;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
server_tokens off;
charset utf-8;
add_header X-Robots-Tag none;
add_header Warning 'This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded.';
使用此配置进行部署导致525错误:SSL握手失败。 我有专门的IP和NSI。我正在使用chacha-poly密码。我正在发布443端口。
我想知道为什么会收到此错误?
由于
免责声明:Stackoverflow,请删除有关代码太多且文字不够的警告。感谢
答案 0 :(得分:1)
在我的情况下,用LibreSSL替换OpenSSL解决了这个问题。
答案 1 :(得分:0)
如果记录是灰色阴影(未通过Cloudflare代理),您是否可以使用SSL连接到服务器?它可能是配置中的原始服务器上的问题,但至少暂时消除Cloudflare会使故障排除更容易。
您还可以尝试curl -Ikv --resolve panel.backupner.com:443:your.ip.address https :: //panel.backupner.com以获取可能有助于排除故障的其他详细信息。
实际上只是检查了...看起来你的网站现在正在运行,如果你找出了根本原因,发布问题是有帮助的。 :)