反代了 Google,火狐访问提示"内容损坏错误"(v35,36b2)

2015-01-22 03:10:23 +08:00
 Niphor
昨天在VPS上搭了一下,用的StartSSL的免费证书

nginx 为了偷懒直接使用的
https://github.com/cuber/ngx_http_google_filter_module

由于StartSSL默认有个non-www的域名,所以non-www的单独配了个vhost

反代只监听了 server_name 是 www.xxx.xx:443 的域名

现在问题来了,https://xxx.xx 在firefox里面是可以访问的,页面是可以看见的

唯独反代的 https://www.xxx.xx 在火狐里直接显示`内容损坏错误`

其它浏览器如UC、Chrome等都是正常的

实在是想不到原因了,求帮忙解决下。

```
# nginx -V
nginx version: nginx/1.7.9
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
TLS SNI support enabled
```

ssl配置
```
#SSL Certificate
ssl_certificate /etc/nginx/certs/xxx.xx.crt;
ssl_certificate_key /etc/nginx/certs/xxx.xx.key;
#TLS only
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#SSL Session Cache
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/xxx.xx.crt;
resolver 8.8.8.8;
#Disable Beast Attacks
ssl_prefer_server_ciphers on;
#ssl_ciphers HIGH:!aNULL:!MD5:!DSS:!RC4;
#Stronger DHE Parameters
ssl_dhparam /etc/nginx/certs/dh.pem;
#HSTS
add_header Strict-Transport-Security "max-age=31536000";
```
2275 次点击
所在节点    问与答
4 条回复
luo362722353
2015-01-22 04:10:30 +08:00
我贴一下我的demo,楼主你看看有没有互相学习的…我也是小白一枚

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install libpcre3 libpcre3-dev zlib1g-dev libssl-dev build-essential git
mkdir nginx && cd nginx
wget http://nginx.org/download/nginx-1.7.9.tar.gz
tar -xvf nginx-1.7.9.tar.gz
git clone https://github.com/cuber/ngx_http_google_filter_module
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module
cd nginx-1.7.9
mkdir /var/tmp/nginx

./configure \
--prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-client-body-temp-path=/var/tmp/nginx/client --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-scgi-temp-path=/var/tmp/nginx/scgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --with-http_ssl_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module \
--add-module=/root/nginx/ngx_http_google_filter_module \
--add-module=/root/nginx/ngx_http_substitutions_filter_module

make && make install

cd /etc/init.d/
vi nginx

#!/bin/sh

### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=nginx
DESC=nginx

# Include nginx defaults if available
if [ -f /etc/default/nginx ]; then
. /etc/default/nginx
fi

test -x $DAEMON || exit 0

set -e

. /lib/lsb/init-functions

test_nginx_config() {
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
return 0
else
$DAEMON -t $DAEMON_OPTS
return $?
fi
}

case "$1" in
start)
echo -n "Starting $DESC: "
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;

stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON || true
echo "$NAME."
;;

restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON || true
sleep 1
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;

reload)
echo -n "Reloading $DESC configuration: "
test_nginx_config
start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON || true
echo "$NAME."
;;

configtest|testconfig)
echo -n "Testing $DESC configuration: "
if test_nginx_config; then
echo "$NAME."
else
exit $?
fi
;;

status)
status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
;;
*)
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
exit 1
;;
esac

exit 0

sudo chmod +x ./nginx
sudo update-rc.d nginx defaults


rm -rf /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf

worker_processes 4;
pid /var/run/nginx.pid;

events {
worker_connections 768;
}

http {

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
proxy_temp_file_write_size 128k;
proxy_temp_path /var/cache/nginx/temp;
proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=cache_one:100m inactive=7d max_size=10g;

gzip_static on;
gzip on;
gzip_disable "msie6";

include /etc/nginx/sites-enabled/*;
}

mkdir -p /etc/nginx/sites-enabled
mkdir -p /var/log/nginx
mkdir -p /var/cache/nginx/cache
mkdir -p /var/cache/nginx/temp

nginx -t

mkdir -p /root/ssl && cd /root/ssl
vi domain.crt
vi domain.key
vi /etc/nginx/sites-enabled/google.conf


server {
listen 80;
server_name xxx.pt www.xxx.pt;
return 301 https://www.xxx.pt$request_uri;
}

server {
listen 443 ssl;
server_name xxx.pt www.xxx.pt;

ssl on;
ssl_certificate /root/ssl/xxx.pt.crt;
ssl_certificate_key /root/ssl/xxx.pt.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

resolver 8.8.8.8;

location / {
google on;
google_scholar on;
google_robots_allow on;

}
}
Niphor
2015-01-22 10:32:31 +08:00
@luo362722353 多谢回复
我配置和你基本差不多,我直接用你的配置也不行。

而且 error_log 开debug 也没任何信息...
luo362722353
2015-01-22 12:14:36 +08:00
@Niphor https://ibd.pt https://www.ibd.pt你看看,貌似没错啊
Niphor
2015-01-22 14:51:34 +08:00
@luo362722353 我试了很多,最终发现好像是 spdy的原因
```
listen 443 ssl spdy;
```

反代的Google,在Firefox上不行,会报`内容损坏错误`,但是非反代的链接确是正常的,不会报错

在Chrome上看,用的是spdy,又很正常

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/164340

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX