2. 使用交流
  3. Nginx 反代后端多IP提示报错(已解决)

Nginx 反代后端多IP提示报错(已解决)

mytsing520 2019-3-31 899

版本:Nginx 14.1

具体错误现象:
源站4个IP地址,是同一台主机,端口均为80和443。
当试图通过四层转发到后端,提示报错为“端口重复”;通过七层转发到后端提示“SSL_do_handshake() failed”,具体错误为HELLO报文协议错误。
如果只配置1个IP地址,七层转发是没有问题的。

解决方案,编辑nginx配置文件,新增一个upstream段,填入前述IP地址加上443端口解决

收藏的用户(0 X
正在加载信息~
最新回复 (6)
  • 虚竹 2019-4-1
    引用 2
    给出配置源文看看
  • didiao 2019-4-1
    引用 3
    我也遇到过同样的问题,你估计也是nginx直接配置反代,忘记在IP后面加端口了,SSL转发也要在IP后面:443这样配置
  • mytsing520 2019-4-5
    引用 4
    didiao 我也遇到过同样的问题,你估计也是nginx直接配置反代,忘记在IP后面加端口了,SSL转发也要在IP后面:443这样配置
    配置端口后报错,提示为端口冲突
  • mytsing520 2019-4-5
    引用 5

    这是七层反代配置文件原文(为保隐私,部分配置已经被替代,如域名或upstream的IP地址):

    upstream appnode_proxy_backend_of_site_abc.com {

    server 1.1.1.1:80 weight=1 max_fails=3 fail_timeout=5s;
    server 1.1.1.2:80 weight=1 max_fails=3 fail_timeout=5s backup down;
    server 1.1.1.3:80 weight=1 max_fails=0 fail_timeout=5s backup down;
    server 1.1.1.4:80 weight=1 max_fails=0 fail_timeout=5s backup down;
    keepalive 1;

    }

    server {

    listen 80;

    listen 443 ssl http2;
    server_name abc.com;
    server_name www.abc.com;
    ssl_certificate /data/rp-hkg/sites/abc.com/ssl/site.crt;
    ssl_certificate_key /data/rp-hkg/sites/abc.com/ssl/site.key;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 5m;
    keepalive_timeout 75s;
    keepalive_requests 100;
    access_log /data/rp-hkg/sites/abc.com/log/nginx/access.log;
    error_log /data/rp-hkg/sites/abc.com/log/nginx/error.log;
    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1k;
    gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;

    location / {

    proxy_pass $scheme://appnode_proxy_backend_of_site_abc.com$request_uri;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Nginx-Proxy true;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    client_max_body_size 1m;
    }
    }

    在这个配置文件下,请求HTTPS会报告502,错误日志提示为“No live upstreams”。

  • mytsing520 2019-4-5
    引用 6

    四层转发,我配置了两个同名域名文件,分别对应80端口和443端口。

    80端口配置文件如下:

    upstream appnode_proxy_backend_of_site_abc.com {

    server 1.1.1.1:80 weight=1 max_fails=3 fail_timeout=5s;
    server 1.1.1.2:80 weight=1 max_fails=3 fail_timeout=5s backup down;
    server 1.1.1.3:80 weight=1 max_fails=0 fail_timeout=5s backup down;
    server 1.1.1.4:80 weight=1 max_fails=0 fail_timeout=5s backup down;

    }

    server {

    listen 80;
    access_log /data/rp-hkg/sites/abc.com/log/nginx/access.log proxy;
    proxy_pass appnode_proxy_backend_of_site_abc.com;

    }

    443端口配置文件如下:

    upstream appnode_proxy_backend_of_site_sitessl {

    server 1.1.1.1:443 weight=1 max_fails=3 fail_timeout=5s;
    server 1.1.1.2:443 weight=1 max_fails=3 fail_timeout=5s;
    server 1.1.1.3:443 weight=1 max_fails=3 fail_timeout=5s backup;
    server 1.1.1.4:443 weight=1 max_fails=3 fail_timeout=5s backup;

    }

    server {

    listen 443 ssl;
    access_log /data/rp-hkg/sites/sitessl/log/nginx/access.log proxy;
    proxy_pass appnode_proxy_backend_of_site_sitessl;

    }

    这种情况下,nginx验证通过,但是nginx进程重启则会报错,提示为端口已存在,但实际通过netstat -anp | grep 80或netstat -anp | grep 443查询时为无结果。

    ● nginx.service - nginx - high performance web server

    Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)

    Active: failed (Result: exit-code) since Fri 2019-04-05 06:39:06 CST; 9s ago

    Docs: http://nginx.org/en/docs/

    Process: 17365 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)

    Process: 17472 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)

    Main PID: 5600 (code=exited, status=0/SUCCESS)

    Apr 05 06:39:05 rp-hkg nginx[17472]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)

    Apr 05 06:39:05 rp-hkg nginx[17472]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

    Apr 05 06:39:05 rp-hkg nginx[17472]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)

    Apr 05 06:39:06 rp-hkg nginx[17472]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

    Apr 05 06:39:06 rp-hkg nginx[17472]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)

    Apr 05 06:39:06 rp-hkg systemd[1]: nginx.service: control process exited, code=exited status=1

    Apr 05 06:39:06 rp-hkg nginx[17472]: nginx: [emerg] still could not bind()

    Apr 05 06:39:06 rp-hkg systemd[1]: Failed to start nginx - high performance web server.

    Apr 05 06:39:06 rp-hkg systemd[1]: Unit nginx.service entered failed state.

    Apr 05 06:39:06 rp-hkg systemd[1]: nginx.service failed.

  • mytsing520 2019-4-5
    引用 7
    四层转发无法使用,初步怀疑和“站点管理”功能冲突导致。
返回
发新帖