反代了 Google,火狐访问提示"内容损坏错误"(v35,36b2)

昨天在VPS上搭了一下，用的StartSSL的免费证书

nginx 为了偷懒直接使用的
https://github.com/cuber/ngx_http_google_filter_module

由于StartSSL默认有个non-www的域名，所以non-www的单独配了个vhost

反代只监听了 server_name 是 www.xxx.xx:443 的域名

现在问题来了，https://xxx.xx 在firefox里面是可以访问的，页面是可以看见的

唯独反代的 https://www.xxx.xx 在火狐里直接显示`内容损坏错误`

其它浏览器如UC、Chrome等都是正常的

实在是想不到原因了，求帮忙解决下。

```
# nginx -V
nginx version: nginx/1.7.9
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
TLS SNI support enabled
```

ssl配置
```
#SSL Certificate
ssl_certificate /etc/nginx/certs/xxx.xx.crt;
ssl_certificate_key /etc/nginx/certs/xxx.xx.key;
#TLS only
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#SSL Session Cache
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/xxx.xx.crt;
resolver 8.8.8.8;
#Disable Beast Attacks
ssl_prefer_server_ciphers on;
#ssl_ciphers HIGH:!aNULL:!MD5:!DSS:!RC4;
#Stronger DHE Parameters
ssl_dhparam /etc/nginx/certs/dh.pem;
#HSTS
add_header Strict-Transport-Security "max-age=31536000";
```

luo362722353

2015-01-22 04:10:30 +08:00

我贴一下我的demo，楼主你看看有没有互相学习的…我也是小白一枚

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install libpcre3 libpcre3-dev zlib1g-dev libssl-dev build-essential git
mkdir nginx && cd nginx
wget http://nginx.org/download/nginx-1.7.9.tar.gz
tar -xvf nginx-1.7.9.tar.gz
git clone https://github.com/cuber/ngx_http_google_filter_module
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module
cd nginx-1.7.9
mkdir /var/tmp/nginx

./configure \
--prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-client-body-temp-path=/var/tmp/nginx/client --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-scgi-temp-path=/var/tmp/nginx/scgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --with-http_ssl_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module \
--add-module=/root/nginx/ngx_http_google_filter_module \
--add-module=/root/nginx/ngx_http_substitutions_filter_module

make && make install

cd /etc/init.d/
vi nginx

#!/bin/sh

### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=nginx
DESC=nginx

# Include nginx defaults if available
if [ -f /etc/default/nginx ]; then
. /etc/default/nginx
fi

test -x $DAEMON || exit 0

set -e

. /lib/lsb/init-functions

test_nginx_config() {
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
return 0
else
$DAEMON -t $DAEMON_OPTS
return $?
fi
}

case "$1" in
start)
echo -n "Starting $DESC: "
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;

stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON || true
echo "$NAME."
;;

restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON || true
sleep 1
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;

reload)
echo -n "Reloading $DESC configuration: "
test_nginx_config
start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON || true
echo "$NAME."
;;

configtest|testconfig)
echo -n "Testing $DESC configuration: "
if test_nginx_config; then
echo "$NAME."
else
exit $?
fi
;;

status)
status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
;;
*)
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
exit 1
;;
esac

exit 0

sudo chmod +x ./nginx
sudo update-rc.d nginx defaults

rm -rf /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf

worker_processes 4;
pid /var/run/nginx.pid;

events {
worker_connections 768;
}

http {

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
proxy_temp_file_write_size 128k;
proxy_temp_path /var/cache/nginx/temp;
proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=cache_one:100m inactive=7d max_size=10g;

gzip_static on;
gzip on;
gzip_disable "msie6";

include /etc/nginx/sites-enabled/*;
}

mkdir -p /etc/nginx/sites-enabled
mkdir -p /var/log/nginx
mkdir -p /var/cache/nginx/cache
mkdir -p /var/cache/nginx/temp

nginx -t

mkdir -p /root/ssl && cd /root/ssl
vi domain.crt
vi domain.key
vi /etc/nginx/sites-enabled/google.conf

server {
listen 80;
server_name xxx.pt www.xxx.pt;
return 301 https://www.xxx.pt$request_uri;
}

server {
listen 443 ssl;
server_name xxx.pt www.xxx.pt;

ssl on;
ssl_certificate /root/ssl/xxx.pt.crt;
ssl_certificate_key /root/ssl/xxx.pt.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

resolver 8.8.8.8;

location / {
google on;
google_scholar on;
google_robots_allow on;

}
}