20211026_阿里云服务器引流限制ssl的问题

1. 首先客户端反应配置自定义的ssl 7443端口不能访问了, 但是443, 8443, 94443都可以访问, 也就是说除了7443之外什么都可以访问

[root@xuexiao ~]# curl -I https://xxx.xxxxx.cn:7443
curl: (35) SSL received a record that exceeded the maximum permissible length.  --这是个误导

[root@xuexiao ~]# wget  https://xxxx.xxxxxx.cn:7443
--2021-10-26 10:21:58--  https://xxxx.xxxxxx.cn:7443/
正在解析主机 fkzx.rakinda.cn (xxxx.xxxxxxx.cn)... 47.1.9.18
正在连接 fkzx.rakinda.cn (xxxxx.xxxxxxx.cn)|47.1.9.18|:7443... 已连接。
--这比较重要, 这里可以看到连接已经建立了, 但是没有返回
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
无法建立 SSL 连接。

[root@xuexiao ~]# openssl s_client -connect 47.1.9.18:7443 -debug
CONNECTED(00000003)
write to 0x2214d90 [0x2262c10] (289 bytes => 289 (0x121))
---这些不重要
0100 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03   ................
0110 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................
0120 - 01                                                .
read from 0x2214d90 [0x2268170] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
140541420005264:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
...
SSL-Session:
    Protocol  : TLSv1.2
...
    Verify return code: 0 (ok)   --这里说明ssl是可以的
---

2. 在postman上的报错

Error: write EPROTO 4244677912:error:10000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../third.party/boringssl/src/ssl/tls.record.cc:242:

3. nginx配置文件, 这个配置文件是没毛病的;

user  nginx;
    worker_processes  1;
    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;
    events {
        worker_connections  1024;
               }
    http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$request_time"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #以$binary_remote_addr 为key,限制平均每秒的请求为150个
    limit_req_zone $binary_remote_addr zone=allips:200m rate=150r/s;

    keepalive_timeout  65;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
    upstream server{
                server 172.18.95.244:9091;
                server 172.18.95.244:9092;
                server 172.18.95.245:9093;
                }
    server {
        listen 9090;
        server_name fkzx.rakinda.cn;
        location / {
                        proxy_pass http://server;
                        root html;
                        index index.html index.htm;
                        }
                }

    server {
        listen 7443  ssl;
        server_name  xxx.xxxx.cn;
       # ssl on;
       ssl_certificate  /home/docker/nginx/ssl/6489833_xxx.xxxx.cn.pem;
       ssl_certificate_key /home/docker/nginx/ssl/6489833_xxx.xxxx.cn.key;
        location / {
                       proxy_pass http://server;
                        root html;
                        index index.html index.htm;
                        }
        }
    }

4. 情况是做等保之后突然发生的, 一直好好的, 原来是web防火墙给引流了, 找到web应用防火墙, 把端口删了, 或者关闭引流 就可以了;