Nginx

某些頁面返回“502 Bad Gateway”錯誤

  • August 18, 2020

我剛剛意識到我網站的某些連結會導致“502 Bad Gateway”錯誤。例如https://v2a.10studio.tech/10studio/auth/google>、<https://v2a.10studio.tech/auth/google>、<https://v2a.10studio.tech/10studio/auth/microsofthttps ://v2a.10studio.tech/auth/microsoft。我很確定這些連結幾週前有效,我不知道發生了什麼。

網站https://v2a.10studio.tech/>仍在執行。<https://v2a.10studio.tech/#/sign?next=/包含點擊導致連結斷開的按鈕。

這裡是docker-compose.yml

version: "3"
services:
 frontend:
   restart: unless-stopped
   image: staticfloat/nginx-certbot
   ports:
     - 80:80/tcp
     - 443:443/tcp
   environment:
     CERTBOT_EMAIL: chengtie@gmail.com
   volumes:
     - ./conf.d:/etc/nginx/user.conf.d:ro
     - letsencrypt:/etc/letsencrypt
 10studio:
   image: bitnami/nginx:1.16
   restart: always
   volumes: 
     - ./build:/app
     - ./default.conf:/opt/bitnami/nginx/conf/server_blocks/default.conf:ro
     - ./configs/config.prod.js:/app/lib/config.js
   depends_on: 
   - frontend

volumes:
 letsencrypt:

networks:
 default:
   external:
     name: 10studio

並且conf.d/v2.conf

gzip on;
gzip_proxied any;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/rss+xml text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/jpeg image/png image/svg+xml image/x-icon;

upstream funfun {
  server www.funfun.io:443;
}


server {
   listen              443 ssl;
   ssl_certificate     /etc/letsencrypt/live/v2a.10studio.tech/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/v2a.10studio.tech/privkey.pem;
   server_name v2a.10studio.tech;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_session_timeout 1d;
   ssl_stapling on;
   ssl_stapling_verify on;
   add_header Strict-Transport-Security max-age=15768000;
   add_header X-Frame-Options "";
   
   
   location ~ /socialLoginSuccess {                                                                                            
       rewrite ^ '/#/socialLoginSuccess' redirect;
    }

   location ~ /auth/(.*) {                                                                                            
       proxy_pass  https://funfun/10studio/auth/$1?$query_string;
       proxy_set_header Host v2a.10studio.tech;
    }

   location / {
       proxy_set_header    Host                $host;
       proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
       proxy_set_header    X-Forwarded-Proto   $scheme;
       proxy_set_header    Accept-Encoding     "";
       proxy_set_header    Proxy               "";
       proxy_pass          http://10studio:8080/;

       # These three lines added as per https://github.com/socketio/socket.io/issues/1942 to remove socketio error
       proxy_http_version 1.1;
       proxy_set_header   Upgrade $http_upgrade;
       proxy_set_header   Connection "upgrade";
   }
}

有人可以幫忙嗎?

PS:幾週前我在 CloudFlare 中更改了 funfun.io 的一些設置(尤其是 SSL 證書),如果它相關,我不知道。我不知道這Proxy statusDNS onlyProxied)是否有影響。

在此處輸入圖像描述

**編輯 1:**這裡有一些 docker 日誌:

2020-08-18T20:19:15.667934708Z 2020/08/18 20:19:15 [error] 42#42: *310 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.153.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.667995550Z 2020/08/18 20:19:15 [warn] 42#42: *310 upstream server temporarily disabled while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.153.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.738088121Z 2020/08/18 20:19:15 [error] 42#42: *310 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.152.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.738135701Z 2020/08/18 20:19:15 [warn] 42#42: *310 upstream server temporarily disabled while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://104.27.152.135:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.803843403Z 2020/08/18 20:19:15 [error] 42#42: *310 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://172.67.193.92:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.803890220Z 2020/08/18 20:19:15 [warn] 42#42: *310 upstream server temporarily disabled while SSL handshaking to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /auth/github HTTP/1.1", upstream: "https://172.67.193.92:443/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:15.803908241Z 176.144.215.193 - - [18/Aug/2020:20:19:15 +0000] "GET /auth/github HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"
2020-08-18T20:19:21.284333260Z 2020/08/18 20:19:21 [error] 42#42: *310 no live upstreams while connecting to upstream, client: 176.144.215.193, server: v2a.10studio.tech, request: "GET /10studio/auth/github HTTP/1.1", upstream: "https://funfun/10studio/auth/github?", host: "v2a.10studio.tech"
2020-08-18T20:19:21.285121395Z 176.144.215.193 - - [18/Aug/2020:20:19:21 +0000] "GET /10studio/auth/github HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "-"

該錯誤SSL alert number 40表示您嘗試連接到需要 SNI 但未發送 SNI 主機名的 HTTPS 站點。

您正在嘗試proxy_pass/auth/名為. 但是這個站點託管在 CloudFlare 上,因此需要 SNI 使用 HTTPS 連接到它。不幸的是,預設情況下,nginx 對傳出上游 HTTPS 連接的 SNI 支持被禁用(我無法想像為什麼)。您需要為與上游的傳出連接顯式啟用 SNI 。這可以在上下文中設置,以便它適用於整個配置中的每一次嘗試,或者可以僅放置在需要它的特定 s 中。upstream``www.funfun.io``proxy_ssl_server_name on;``http``proxy_pass``location

引用自:https://serverfault.com/questions/1030656