Nginx

Nginx 關閉連接

  • February 1, 2020

我在錯誤日誌中有很多這樣的行:

[info] 7521#7521: *1061 peer closed connection in SSL handshake while SSL handshaking, client: 198.41.231.201, server: 0.0.0.0:443
[info] 7521#7521: *1063 client closed connection while waiting for request, client: 198.41.231.201, server: 0.0.0.0:443
[info] 7522#7522: *1369 client prematurely closed connection while sending response to client
[info] SSL_write() failed (104: Connection reset by peer) while sending response to client

如您所見,這是一個“

$$ info $$“所以我不知道這是否真的有問題,但是從昨天開始,我的 Web 伺服器返回錯誤,我不知道具體是哪些錯誤,cloudflare 說“Web 伺服器返回未知錯誤”,有時它會返回“ SSL 握手失敗”。 這些錯誤昨天開始出現,但它經常退出(每個〜7-10天),我認為這是主機的網路問題,但他們說網路很好……所以我有點迷失在這裡。

我在 google 中搜尋了這些錯誤,但遇到此錯誤的每個人都在使用 nginx 作為反向代理,而我不是。

有人知道我該如何解決嗎?歡迎任何幫助。

這是我的 nginx.conf:

load_module modules/ngx_http_modsecurity_module.so;

user nginx;

worker_processes auto;
#worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log debug;
pid                     /var/run/nginx.pid;

events {
   worker_connections  1000;
   use                 epoll;
   multi_accept        on;

}

http {
   limit_req_zone $http_x_forwarded_for zone=limit_req:10m rate=80r/s;

   sendfile on;
   tcp_nopush on;
   tcp_nodelay on;

   modsecurity on;
   modsecurity_rules_file /etc/nginx/modsec/main.conf;

   client_header_timeout 60s;
   client_body_timeout 60s;
   client_max_body_size 2m;
   client_header_buffer_size 4k;
   client_body_buffer_size 1600k;
   large_client_header_buffers 2 2k;

   send_timeout 60s;
   keepalive_timeout 15 15;
   reset_timedout_connection       on;
   server_names_hash_max_size 1024;
   server_names_hash_bucket_size 1024;
   ignore_invalid_headers on;
   connection_pool_size 256;
   request_pool_size 4k;
   output_buffers 4 32k;
   postpone_output 1460;

   include mime.types;
   default_type application/octet-stream;

   # Compression gzip
   gzip on;
   gzip_vary on;
   gzip_disable "MSIE [1-6]\.";
   gzip_proxied any;
   gzip_min_length 256;
   gzip_comp_level 6;
   gzip_buffers 32 16k;
   gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

   open_file_cache_valid 120s;
   open_file_cache_min_uses 2;
   open_file_cache_errors off;
   open_file_cache max=5000 inactive=30s;
   open_log_file_cache max=1024 inactive=30s min_uses=2;

   # Php cache
   fastcgi_cache_path /var/cache/fastcgi levels=1:2 keys_zone=phpcache:100m inactive=60m;
   fastcgi_cache_key "$scheme$request_method$host$request_uri";
   fastcgi_ignore_headers X-Accel-Expires Expires Cache-Control;

   # SSL Settings
   ssl_certificate         /etc/nginx/ssl/cf_cert.pem;
   ssl_certificate_key     /etc/nginx/ssl/cf_key.pem;
   ssl_client_certificate /etc/nginx/ssl/origin-pull-ca.pem;
   ssl_verify_client on;
   ssl_verify_depth 5;

   ssl_session_cache   shared:SSL:10m;
   ssl_session_timeout 1h;
   ssl_protocols       TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
   ssl_session_tickets on;
   ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
   ssl_ecdh_curve secp384r1;
   ssl_buffer_size 4k;

   # Logs
   log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                       '"$status" $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
   log_format  bytes   '$body_bytes_sent';
   #access_log          /var/log/nginx/access.log main;
   access_log off;

   # Cache bypass
   map $http_cookie $no_cache {
       default 0;
       ~SESS 1;
       ~wordpress_logged_in 1;
   }

   # Include additional configuration
   include /etc/nginx/cloudflare.inc;

   etag off;
   server_tokens off;

   # Headers
   add_header X-XSS-Protection "1; mode=block" always;
   add_header X-Frame-Options deny always;

   map $http_upgrade $connection_upgrade {
       default upgrade;
       '' close;
   }

   server {
       listen 443 ssl http2; 
       server_name domain.com;

       root /home/user/domain/public;
       index index.php index.html;

       access_log /var/log/domain/domain.com.bytes bytes;
       access_log /var/log/domain/domain.com.log combined buffer=64k flush=3m;
       error_log /var/log/domain/domain.com.error.log info;

       underscores_in_headers on;

       include /etc/nginx/alias.conf;

       location / {
           include /etc/nginx/url_rewrite.conf;  

           location ~ [^/]\.php(/|$) {
               try_files $uri =404;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               fastcgi_pass    unix:/var/run/php-fpm.sock;
               fastcgi_index   index.php;
               include         /etc/nginx/fastcgi_params;
               fastcgi_buffering off;
               fastcgi_cache phpcache;
               fastcgi_cache_valid 200 60m;
               fastcgi_cache_methods GET;
               limit_req zone=limit_req burst=2;
               limit_req_status 429;
           }
       }

       location ~ /\. {access_log off; deny all; return 404;}
       disable_symlinks if_not_owner from=/home/user/domain/public;
   }
}

我懷疑這些是連接問題,因為客戶端以乾淨的方式關閉了連接。埠掃描器更有可能檢查隱藏在埠後面的內容443(他可能會感到驚訝:-))。

您可以通過以下方式獲得類似的效果:

telnet example.com https < /dev/null
openssl s_client -connect example.com:https < /dev/null
openssl s_client -connect example.com:https <<EOF
GET / HTTP/1.1
Host: example.com

EOF

編輯:如果你不在埠上執行,443埠掃描器的行為更容易理解:

  • 它連接到埠並等待伺服器橫幅(由SMTPIMAPSSH其他類型的伺服器發送)。超時後斷開連接。
  • 它連接到埠,執行 TLS 握手並等待伺服器橫幅(由先前協議的 TLS 版本發送)。超時後斷開連接。
  • 它嘗試發送 HTTP 請求。由於它對頁面不感興趣,因此它會斷開連接並推斷您正在執行 HTTP 伺服器。

引用自:https://serverfault.com/questions/1001358