Nginx
Nginx 關閉連接
我在錯誤日誌中有很多這樣的行:
[info] 7521#7521: *1061 peer closed connection in SSL handshake while SSL handshaking, client: 198.41.231.201, server: 0.0.0.0:443 [info] 7521#7521: *1063 client closed connection while waiting for request, client: 198.41.231.201, server: 0.0.0.0:443 [info] 7522#7522: *1369 client prematurely closed connection while sending response to client [info] SSL_write() failed (104: Connection reset by peer) while sending response to client
如您所見,這是一個“
$$ info $$“所以我不知道這是否真的有問題,但是從昨天開始,我的 Web 伺服器返回錯誤,我不知道具體是哪些錯誤,cloudflare 說“Web 伺服器返回未知錯誤”,有時它會返回“ SSL 握手失敗”。 這些錯誤昨天開始出現,但它經常退出(每個〜7-10天),我認為這是主機的網路問題,但他們說網路很好……所以我有點迷失在這裡。
我在 google 中搜尋了這些錯誤,但遇到此錯誤的每個人都在使用 nginx 作為反向代理,而我不是。
有人知道我該如何解決嗎?歡迎任何幫助。
這是我的 nginx.conf:
load_module modules/ngx_http_modsecurity_module.so; user nginx; worker_processes auto; #worker_rlimit_nofile 65535; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; events { worker_connections 1000; use epoll; multi_accept on; } http { limit_req_zone $http_x_forwarded_for zone=limit_req:10m rate=80r/s; sendfile on; tcp_nopush on; tcp_nodelay on; modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; client_header_timeout 60s; client_body_timeout 60s; client_max_body_size 2m; client_header_buffer_size 4k; client_body_buffer_size 1600k; large_client_header_buffers 2 2k; send_timeout 60s; keepalive_timeout 15 15; reset_timedout_connection on; server_names_hash_max_size 1024; server_names_hash_bucket_size 1024; ignore_invalid_headers on; connection_pool_size 256; request_pool_size 4k; output_buffers 4 32k; postpone_output 1460; include mime.types; default_type application/octet-stream; # Compression gzip gzip on; gzip_vary on; gzip_disable "MSIE [1-6]\."; gzip_proxied any; gzip_min_length 256; gzip_comp_level 6; gzip_buffers 32 16k; gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype; open_file_cache_valid 120s; open_file_cache_min_uses 2; open_file_cache_errors off; open_file_cache max=5000 inactive=30s; open_log_file_cache max=1024 inactive=30s min_uses=2; # Php cache fastcgi_cache_path /var/cache/fastcgi levels=1:2 keys_zone=phpcache:100m inactive=60m; fastcgi_cache_key "$scheme$request_method$host$request_uri"; fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control; # SSL Settings ssl_certificate /etc/nginx/ssl/cf_cert.pem; ssl_certificate_key /etc/nginx/ssl/cf_key.pem; ssl_client_certificate /etc/nginx/ssl/origin-pull-ca.pem; ssl_verify_client on; ssl_verify_depth 5; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"; ssl_session_tickets on; ssl_session_ticket_key /etc/nginx/ssl/ticket.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_ecdh_curve secp384r1; ssl_buffer_size 4k; # Logs log_format main '$remote_addr - $remote_user [$time_local] $request ' '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format bytes '$body_bytes_sent'; #access_log /var/log/nginx/access.log main; access_log off; # Cache bypass map $http_cookie $no_cache { default 0; ~SESS 1; ~wordpress_logged_in 1; } # Include additional configuration include /etc/nginx/cloudflare.inc; etag off; server_tokens off; # Headers add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options deny always; map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 443 ssl http2; server_name domain.com; root /home/user/domain/public; index index.php index.html; access_log /var/log/domain/domain.com.bytes bytes; access_log /var/log/domain/domain.com.log combined buffer=64k flush=3m; error_log /var/log/domain/domain.com.error.log info; underscores_in_headers on; include /etc/nginx/alias.conf; location / { include /etc/nginx/url_rewrite.conf; location ~ [^/]\.php(/|$) { try_files $uri =404; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; fastcgi_buffering off; fastcgi_cache phpcache; fastcgi_cache_valid 200 60m; fastcgi_cache_methods GET; limit_req zone=limit_req burst=2; limit_req_status 429; } } location ~ /\. {access_log off; deny all; return 404;} disable_symlinks if_not_owner from=/home/user/domain/public; } }
我懷疑這些是連接問題,因為客戶端以乾淨的方式關閉了連接。埠掃描器更有可能檢查隱藏在埠後面的內容
443
(他可能會感到驚訝:-))。您可以通過以下方式獲得類似的效果:
telnet example.com https < /dev/null openssl s_client -connect example.com:https < /dev/null openssl s_client -connect example.com:https <<EOF GET / HTTP/1.1 Host: example.com EOF
編輯:如果你不在埠上執行,
443
埠掃描器的行為更容易理解:
- 它連接到埠並等待伺服器橫幅(由
SMTP
、IMAP
和SSH
其他類型的伺服器發送)。超時後斷開連接。- 它連接到埠,執行 TLS 握手並等待伺服器橫幅(由先前協議的 TLS 版本發送)。超時後斷開連接。
- 它嘗試發送 HTTP 請求。由於它對頁面不感興趣,因此它會斷開連接並推斷您正在執行 HTTP 伺服器。