如何解决为什么我的Nginx反向代理从完全不同的站点获取内容?
我在EC2上设置了一个nginx反向代理,该代理用于通过LUA脚本管理SSL证书。设置为始终从单个上游服务器获取。它在启动后效果很好,但是在某个时间点(2-3周),它开始从随机网站而非上游网站提供内容。重新启动服务器后,问题就消失了。我从未听说过这些网站;我看到的唯一共同点是它们也托管在AWS上。还需要注意的是,启用了一定程度的缓存,并且正在使用本地EC2解析器
有没有人遇到过这种情况并且知道如何解决?
nginx.conf:
daemon off;
worker_processes 1;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.log info;
pid /var/run/ssl-proxy.pid;
events {
accept_mutex on;
worker_connections 1024;
}
http {
gzip on;
gzip_comp_level 3;
gzip_min_length 150;
gzip_proxied any;
gzip_types text/plain text/css text/json text/javascript
application/javascript application/x-javascript application/json
application/rss+xml application/vnd.ms-fontobject application/x-font-ttf
application/xml font/opentype image/svg+xml text/xml;
server_tokens off;
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name $host to: $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time | UA: $http_user_agent';
log_format l2met 'measure#nginx.service=$request_time request_id=$http_x_request_id';
access_log /var/log/nginx/access.log upstreamlog;
# access_log /var/log/nginx/access.log l2met;
include mime.types;
default_type application/octet-stream;
sendfile on;
#Must read the body in 5 seconds.
client_body_timeout 5;
upstream app_server {
server example.com:443 fail_timeout=0;
}
# The "auto_ssl" shared dict should be defined with enough storage space to
# hold your certificate data. 1MB of storage holds certificates for
# approximately 100 separate domains.
lua_shared_dict auto_ssl 1m;
# The "auto_ssl_settings" shared dict is used to temporarily store various settings
# like the secret used by the hook server on port 8999. Do not change or
# omit it.
lua_shared_dict auto_ssl_settings 64k;
lua_ssl_verify_depth 2;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# A DNS resolver must be defined for OCSP stapling to function.
#
# This example uses Google's DNS server. You may want to use your system's
# default DNS servers,which can be found in /etc/resolv.conf. If your network
# is not IPv6 compatible,you may wish to disable IPv6 results by using the
# "ipv6=off" flag (like "resolver 8.8.8.8 ipv6=off").
resolver 127.0.0.53 ipv6=off;
# Initial setup tasks.
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("storage_adapter","resty.auto-ssl.storage_adapters.redis")
auto_ssl:set("redis",{
})
-- Define a function to determine which SNI domains to automatically handle
-- and register new certificates for. Defaults to not allowing any domains,-- so this must be configured.
auto_ssl:set("allow_domain",function(domain)
local http = require("resty.http")
local httpc = http.new()
httpc:set_timeout(5000)
local path = "/.protected/domains/"..domain
print("Querying API for custom domain: ",domain)
local res,err = httpc:request_uri("https://example.com",{
path = path,method = "GET"
})
if not res then
print("Failed to request: ",err)
return false
end
if res.status == 200 then
print("Domain is allowed! Status code: ",res.status," _id: ",res.body)
return true
end
if res.status == 404 then
print("Domain not found. Status code: ",res.status)
return false
end
print("Unexpected response from API. Status code: ",res.status)
return false
end)
auto_ssl:set("request_domain",function(ssl,ssl_options)
local domain,err = ssl.server_name()
print("Using domain: "..domain)
return domain,err
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
# Cache
proxy_cache_path /home/ubuntu/app/cache/assets levels=1:2 keys_zone=asset_cache:10m
inactive=43200 use_temp_path=off;
# HTTPS server
server {
listen 443 ssl;
server_name _;
keepalive_timeout 5;
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
# Self signed fallback certificate:
ssl_certificate ../ssl/localhost.crt;
ssl_certificate_key ../ssl/localhost.key;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_ignore_client_abort on;
proxy_pass https://app_server;
}
location /assets/ {
add_header X-Cache-Status $upstream_cache_status;
add_header Cache-Control "max-age=31536000,public";
proxy_cache asset_cache;
proxy_ignore_headers Cache-Control;
proxy_cache_valid 525600m;
proxy_cache_lock on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_ignore_client_abort on;
proxy_pass https://app_server;
}
}
# HTTP server
server {
listen 80;
server_name _;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
location / {
return 301 https://$host:443$request_uri;
}
}
# Internal server running on port 8999 for handling certificate tasks.
server {
listen 127.0.0.1:8999;
# Increase the body buffer size,to ensure the internal POSTs can always
# parse the full POST contents into memory.
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。