一错误
2019/12/09 16:45:44 [error] 19091#0: *1 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, cli
ent: 172.18.122.4, server: sda.cn, request: "POST /api/tokenVerify?token=2D3B66C43CFDA04DF5D46F288F0B16B253FE48353C351BDB52D339840DB28E6427115A9ECB826CA75EBE7F6F310BEBB2DAB85DAE77780AC6B6E2F053DF23BF9788F3768F62ABF38C335C794DC79197BC&constId=&appKey=c36b3f2865c0506c9dd7dab845c1ee86&sign=4ada50fd61204702bda46f95810b42b5&ip= HTTP/1.1", upstream: "https://74.208.236.192:443/api/tokenVerify?token=2D3B66C43CFDA04DF5D46F288F0B16B253FE48353C351BDB52D339840DB28E6427115A9ECB826CA75EBE7F6F310BEBB2DAB85DAE77780AC6B6E2F053DF23BF9788F3768F62ABF38C335C794DC79197BC&constId=&appKey=c36b3f2865c0506c9dd7dab845c1ee86&sign=4ada50fd61204702bda46f95810b42b5&ip=", host: "192.168.2.241:10443"
二解决
在nginx 1.7中,可以使用这个指令:
proxy_ssl_server_name on;
迫使nginx使用SNI
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#请按照这个协议配置 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #请按照这个套件配置,配置加密套件,写法遵循 openssl 标准。 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; #防止hand proxy_ssl_server_name on; location / { #网站主页路径。此路径仅供参考,具体请您按照实际目录操作。 #root /var/www/www.domain.com; index /templates/loading.html; } location ~.*abnol/* { proxy_pass http://tomcatWeb; # proxy_pass http://192.168.1.101:8090; # proxy_pass http://localhost:8088; } location ~.*api/tokenVerify* { proxy_pass https://cap.dingxiang-inc.com; } } }
