Nginx 错误 https 。 curl:(35)错误:1408F10B:SSL例程:ssl3_get_record:错误的版本号

【问题标题】:Nginx error https . curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version numberNginx 错误 https 。 curl:(35)错误:1408F10B:SSL例程:ssl3_get_record:错误的版本号
【发布时间】:2020-11-28 04:28:22
【问题描述】:

Nginx。我无法通过 https 访问在端口 3000 中侦听的 NodeJs 应用程序。我可以通过http来做。 https://www.modelistas.tk:3000/api/status 抛出错误。我试过卷曲

详细输出:

root@ip-172-31-50-215:/opt/letsencrypt# curl -v -k https://modelistas.tk:3000/api/status
*   Trying 72.44.61.151...
* TCP_NODELAY set
* Connected to modelistas.tk (72.44.61.151) port 3000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

我的配置 Nginx 默认

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    # Añadimos que escuche en el puerto 443 SSL:
        listen 443 ssl;
    

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    # AGREGADO Carpeta raiz de este servidor :
    root /var/www/www.modelistas.tk/public;

    # Add index.php to the list if you are using PHP
    index index.html index.htm;

    # AGREGADO
    server_name www.modelistas.tk modelistas.tk;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #agregado
    location ~ /\.ht {
        deny all;
    }
    
    location ~ /.well-known {
                allow all;
    }
    
    location /api {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
     }
    
     # Configuracion del certificado SSL de letsencrypt

        ssl_certificate /etc/letsencrypt/live/modelistas.tk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/modelistas.tk/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        
         # Cipher Suites disponibles:
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        ssl_prefer_server_ciphers on;

        # Uso de grupo Diffie-Hellman
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
        
    

}

server {
    listen 80;
    server_name modelistas.ml www.modelistas.tk;
    return 301 https://$host$request_uri;
}

【问题讨论】:

    标签: ssl nginx curl https


    【解决方案1】:

    根据错误消息,您的服务器上没有 TLSv1.3。更新 nginx conf 以支持 TLSv1.3。

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2, TLSv1.3;

    或者您可以通过此选项指定 curl 降级并使用 TLSv1.2(或服务器支持的任何内容)。

    --tlsv1.2

    还有:

    您正在通过端口 3000 连接到 ssl / tls。并且该端口上没有 TLS。连接到 443,因为这是配置的。 检查你是否在代理后面

    【讨论】:

    • 第一个配置不起作用。和秒,有同样的错误。 curl -v -k --tlsv1.2 modelistas.tk:3000/api/status Trying 72.44.61.151 TCP_NODELAY set * 连接到 modelistas.tk (72.44.61.151) 端口 3000 (#0) * ALPN,提供 h2 * ALPN,提供 http/1.1 * 成功设置证书验证位置:* CAfile:/etc/ssl/certs/ca-certificates.crt CApath:/etc/ssl/certs * TLSv1.2 (OUT)、TLS 握手、客户端问候 (1):* 错误:1408F10B: SSL 例程:ssl3_get_record:错误的版本号 curl:(35)错误:1408F10B:SSL 例程:ssl3_get_record:错误的版本号
    • 你在代理后面吗?
    • 连接到 443。你在 3000 上没有 TLS
    猜你喜欢
    • 2021-06-01
    • 2014-01-12
    • 1970-01-01
    • 2019-02-14
    • 2015-06-20
    • 2020-09-07
    • 2015-06-19
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode