指向nginx

时间:2019-09-16 13:44:13

标签: amazon-web-services nginx ssl-certificate amazon-cloudfront

有人对云前沿和错误502有疑问吗?

我的设置非常简单。我只想将运行在实例中的Nginx服务器放在云前端之后。

服务器正常,网站在浏览器中运行正常,并从ssllabs.com获得了A,但是当我使用xxxxxxxxx.cloudfront.net域访问Cloud Front时,它返回502错误。 当我将域指向Cloud Front的CNAME时,也会发生同样的情况。

根据我的阅读,这与证书有关,但是我找不到任何解决方案,而且CF日志中缺少任何详细信息也无济于事。

nginx -V 

nginx version: nginx/1.14.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
已安装

yum列表| grep -i nginx 

nginx.x86_64                         1:1.14.1-2.34.amzn1           @amzn-updates

ldd其中nginx | grep ssl 

libssl.so.10 => /lib64/libssl.so.10 (0x00007f057b5bc000)
已安装

yum列表| grep -i openssl 

openssl.x86_64                       1:1.0.2k-16.150.amzn1         @amzn-updates

NGINX部分配置:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

# Certificates
ssl_certificate /etc/ssl/cert.crt;
ssl_certificate_key /etc/ssl/key.key;

# Ciphers
# ssl_protocols TLSv1.2 TLSv1.3; #All protocols other than TLS 1.2 and TLS 1.3 are considered unsafe.

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

ssl_prefer_server_ciphers on;

# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/ssl/dhparam.pem;

server_tokens off;

Cloud Front出现以下错误:

x-edge-location - DUB2-C1
cs-method - GET
cs-uri-stem - /
sc-status - 502
x-edge-result-type - Error
cs-protocol - https
ssl-protocol - TLSv1.2
ssl-cipher - ECDHE-RSA-AES128-GCM-SHA256
x-edge-response-result-type - Error
cs-protocol-version - HTTP/2.0

ssl密码是在NGINX中配置的

证书链是正确的,由sslchecker检查并使用openssl s_client。

链条:

Common name: *.mydomain.com
Common name: COMODO RSA Domain Validation Secure Server CA
Common name: COMODO RSA Certification Authority

Cloud Front配置有:

Delivery Method - Web
SSL Certificate - mydomain.com
Custom SSL Client Support - Clients that Support Server Name Indication (SNI) - (Recommended)
Security Policy - TLSv1.2_2018
Supported HTTP Versions - HTTP/2, HTTP/1.1, HTTP/1.0
IPv6    Disabled
Default Root Object -
Minimum Origin SSL Protocol - TLSv1
Origin Protocol Policy - Match Viewer
Viewer Protocol Policy - Redirect HTTP to HTTPS

当我将另一个Cloud Front指向我的语篇服务器时,发生了同样的事情,该服务器在ssllabs上获得了A +,但是使用docker进行了部署,而我在那没有更改任何nginx配置。

nginx的Error.log 

2019/09/16 15:34:33 [debug] 10863#0: *109 SSL_do_handshake: -1
2019/09/16 15:34:33 [debug] 10863#0: *109 SSL_get_error: 2
2019/09/16 15:34:33 [debug] 10863#0: *109 reusable connection: 0
2019/09/16 15:34:33 [debug] 10863#0: *109 SSL handshake handler: 0
2019/09/16 15:34:33 [debug] 10863#0: *109 SSL_do_handshake: 1
2019/09/16 15:34:33 [debug] 10863#0: *109 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"

当我做yum check-update时,nginx和ssl都会出现在列表中。

0 个答案:

没有答案
相关问题
最新问题