我使用具有相互tls身份验证的Nginx服务器。 为了卷曲,一切都很好(我生成了所需的响应)
对于AB测试负载,我得到了奇怪的东西 我使用以下命令ab -n 100000 -c 5000 -t 10000 -v 2 -E ../../containers/ngx-rosal/certs/client/rsa/clientB-key-crt.pem https://meteotravel.ru/ < / p>
LOG: header received:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 21 Jan 2019 19:50:12 GMT
Content-Type: text/html
Content-Length: 872
Last-Modified: Wed, 16 Jan 2019 19:29:51 GMT
Connection: keep-alive
ETag: "5c3f862f-368"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<h1>YAHOOOOOO</h1>
<h1>YAHOOOOOO</h1>
<h1>YAHOOOOOO</h1>
<h1>YAHOOOOOO</h1>
<h5>
ohrwoqhro[whr[ohwqrohwro[ihwq[rhwqohrwrohwq
werhowiehroqihro[wqhr[0ohwqohrwoqhro[whr[ohwqrohwro[ihwq[rhwqohrwrohwq
</h5>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Peer certificate
Certificate version: 1
Valid from: Dec 19 14:57:14 2018 GMT
Valid to : Dec 19 14:57:14 2019 GMT
Public key is 2048 bits
The issuer name is /C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=abc.com/emailAddress=admin@abc.com
The subject name is /C=RU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=meteotravel.ru/emailAddress=mail@devprofi.ru
Extension Count: 0
Transport Protocol :TLSv1.2
Cipher Suite Protocol :TLSv1.2
Cipher Suite Name :ECDHE-RSA-AES256-GCM-SHA384
Cipher Suite Cipher Bits:256 (256)
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FE75A19E671FD2873DD2BB2580716A3A5B3EDAC2959C3C6AE96E7BB0DD48CA03
Session-ID-ctx:
Master-Key: 189FDF9E7E77DF276D0645EBAB49EC70322EB4A7D63D4D5E9CBBC6B33A82AA8EF6C84EF7922489EF1AA3C25361B95950
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1548089386
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
LOG: header received:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 21 Jan 2019 19:47:24 GMT
Content-Type: text/html
Content-Length: 872
Last-Modified: Wed, 16 Jan 2019 19:29:51 GMT
Connection: keep-alive
ETag: "5c3f862f-368"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<h1>YAHOOOOOO</h1>
<h1>YAHOOOOOO</h1>
<h1>YAHOOOOOO</h1>
<h1>YAHOOOOOO</h1>
<h5>
ohrwoqhro[whr[ohwqrohwro[ihwq[rhwqohrwrohwq
werhowiehroqihro[wqhr[0ohwqohrwoqhro[whr[ohwqrohwro[ihwq[rhwqohrwrohwq
</h5>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
使用选项-v 1,我收到许多消息错误SSL读取失败(5)-关闭连接 使用-k选项(keepalive)效果更好。失败请求的数量更少。
在nginx日志上(调试模式),我得到了
2019/01/21 20:04:32 [info] 16#16:* 216512客户端超时(110:连接
SSL握手时,客户端:10.244.5.0,服务器:0.0.0.0:443)
2019/01/21 20:04:32 [info] 25#25:* 216516客户端超时(110:连接
SSL握手时,客户端:10.244.5.0,服务器:0.0.0.0:443
客户端上的OpenSSl版本 OpenSSL 1.1.0h 2018年3月27日
服务器上的OpenSSl版本 OpenSSL 1.1.0h 2018年3月27日
nginx -V Nginx版本:Nginx / 1.13.6 由gcc 5.4.0 20160609构建(Ubuntu 5.4.0-6ubuntu1〜16.04.11) 使用OpenSSL 1.1.0h内置2018年3月27日 启用TLS SNI支持 配置参数:--prefix = / etc / nginx --with-ld-opt = -Wl,-rpath,/ usr / local / lib --add-module = / usr / app / ngx_devel_kit-0.3.0 --add -module = / usr / app / lua-nginx-module-0.10.13 --sbin-path = / usr / sbin / nginx --modules-path = / usr / lib / nginx / modules --conf-path = / etc / nginx / nginx.conf-错误日志路径= / var / log / nginx / error.log --http日志路径= / var / log / nginx / access.log --http客户端主体-temp-path = / var / cache / nginx / client_temp --http-proxy-temp-path = / var / cache / nginx / proxy_temp --http-fastcgi-temp-path = / var / cache / nginx / fastcgi_temp- -http-uwsgi-temp-path = / var / cache / nginx / uwsgi_temp --http-scgi-temp-path = / var / cache / nginx / scgi_temp --pid-path = / var / run / nginx.pid- -lock-path = / var / run / nginx.lock --user = root --group = www-data --user = www-data --group = www-data --with-compat --with-file- aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_mo dule --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-流--with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt ='-g -O2 -fstack-protector --param = ssp-buffer-size = 4 -Wformat -Werror = format -security -Wp,-D_FORTIFY_SOURCE = 2 -fPIC'-with-ld-opt ='-Wl,-Bsymbolic函数-Wl,-z,relro -Wl,-z,现在-Wl,-按需-pie'
如何解决此问题?
我将nginx错误日志切换为调试并获取该日志
[debug] 26#26: *27497 http check ssl handshake
[debug] 26#26: *27497 http recv(): 1
[debug] 26#26: *27497 https ssl handshake: 0x16
[debug] 26#26: *27497 tcp_nodelay
[debug] 26#26: *27497 SSL server name: "meteotravel.ru"
[debug] 26#26: *27497 SSL_do_handshake: -1
2019/01/21 23:50:01 [debug] 26#26: *27497 SSL_get_error: 2
2019/01/21 23:50:01 [debug] 26#26: *27497 reusable connection: 0
2019/01/21 23:50:02 [debug] 26#26: *27497 SSL handshake handler: 0
2019/01/21 23:50:02 [debug] 26#26: *27497 SSL_do_handshake: -1
2019/01/21 23:50:02 [debug] 26#26: *27497 SSL_get_error: 5