DR, embora a configuração de passagem SSL ainda possa interessar a alguns curiosos, o problema foi simplesmente um erro de digitação em uma das portas para todos os nomes de host longos que testei.
Estou tentando passar o tráfego https para um servidor back-end por meio do módulo de fluxo Nginx. Funciona para URLs de tamanho razoável, mas não com URLs mais longos, mas não consigo descobrir como resolver o problema.
Posso acessar todos os URLs do meu proxy reverso de back-end a partir do proxy reverso frontal usando /etc/hostspara resolver o endereço e especificando a porta (9443). Portanto, tenho certeza de que o proxy reverso de back-end está configurado corretamente.
Para esses domínios (obviamente mudei os URLs, mas os tamanhos são os mesmos), não há problemas:
wordpress.com 127.0.0.1:9443;
www.wordpress.com 127.0.0.1:9443;
crm.exemplexx.com 127.0.0.1:9443;
# Point to the same endpoint as the long domain
sd.wordpress.com 127.0.0.1:9443;
Erros e registros
Para os mais longos, recebo um erro de conexão recusada ( 2024/08/04 12:30:00 [error] 65636#65636: *34 connect() failed (111: Connection refused) while proxying connection, client: 42.252.189.66, server: 0.0.0.0:443, upstream: "127.0.0.1:9433", bytes from/to client:314/0, bytes from/to upstream:0/0):
# I only need the first one, the other were for testing purposes
enormousubdomainname.dm-ricks.com 127.0.0.1:9433;
enormousubdomainname.wordpress.com 127.0.0.1:9433;
enormousu-bdomainname.wordpress.com 127.0.0.1:9433;
# I know these are commented now,
# but they are not mapping correcly
# ~*.dm\-ricks.com 127.0.0.1:9433;
# *.dm-ricks.com 127.0.0.1:9443;
No Firefox, recebo este erro, pois nunca recebe o certificado:
Secure Connection Failed
An error occurred during a connection to enormousubdomainname.dm-ricks.com. PR_END_OF_FILE_ERROR
Error code: PR_END_OF_FILE_ERROR
Para URLs longos, recebo os seguintes logs:
2024/08/04 12:30:00 [info] 65636#65636: *34 client 42.252.189.66:48959 connected to 0.0.0.0:443
2024/08/04 12:30:00 [debug] 65636#65636: *34 posix_memalign: 0000598DEC52CAD0:256 @16
2024/08/04 12:30:00 [debug] 65636#65636: *34 posix_memalign: 0000598DEC52CCA0:256 @16
2024/08/04 12:30:00 [debug] 65636#65636: *34 generic phase: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 generic phase: 1
2024/08/04 12:30:00 [debug] 65636#65636: *34 generic phase: 2
2024/08/04 12:30:00 [debug] 65636#65636: *34 generic phase: 3
2024/08/04 12:30:00 [debug] 65636#65636: *34 generic phase: 4
2024/08/04 12:30:00 [debug] 65636#65636: *34 ssl preread handler
2024/08/04 12:30:00 [debug] 65636#65636: *34 posix_memalign: 0000598DEC52C6D0:256 @16
2024/08/04 12:30:00 [debug] 65636#65636: *34 malloc: 0000598DEC51C8D0:16384
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream recv(): -1
2024/08/04 12:30:00 [debug] 65636#65636: *34 epoll add event: fd:67 op:1 ev:80002001
2024/08/04 12:30:00 [debug] 65636#65636: *34 event timer add: 67: 30000:85946214
2024/08/04 12:30:00 [debug] 65636#65636: epoll del event: fd:8 op:2 ev:00000000
2024/08/04 12:30:00 [debug] 65636#65636: epoll add event: fd:8 op:1 ev:10000001
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream recv(): 314
2024/08/04 12:30:00 [debug] 65636#65636: *34 ssl preread handler
2024/08/04 12:30:00 [debug] 65636#65636: *34 ssl preread: state 0 left 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 ssl preread: supported_versions
2024/08/04 12:30:00 [debug] 65636#65636: *34 SSL preread server name: "enormousubdomainname.dm-ricks.com"
2024/08/04 12:30:00 [debug] 65636#65636: *34 event timer del: 67: 85946214
2024/08/04 12:30:00 [debug] 65636#65636: *34 tcp_nodelay
2024/08/04 12:30:00 [debug] 65636#65636: *34 proxy connection handler
2024/08/04 12:30:00 [debug] 65636#65636: *34 malloc: 0000598DEC5208E0:448
2024/08/04 12:30:00 [debug] 65636#65636: *34 malloc: 0000598DEC61B510:16384
2024/08/04 12:30:00 [debug] 65636#65636: *34 post event 0000598DEC5EB610
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream map started
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream script var: "enormousubdomainname.dm-ricks.com"
2024/08/04 12:30:00 [debug] 65636#65636: *34 posix_memalign: 0000598DEC52C5C0:256 @16
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream map: "enormousubdomainname.dm-ricks.com" "127.0.0.1:9433"
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream script var: "127.0.0.1:9433"
2024/08/04 12:30:00 [debug] 65636#65636: *34 posix_memalign: 0000598DEC520AB0:256 @16
2024/08/04 12:30:00 [debug] 65636#65636: *34 malloc: 0000598DEC520BC0:384
2024/08/04 12:30:00 [debug] 65636#65636: *34 get rr peer, try: 1
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream socket 68
2024/08/04 12:30:00 [debug] 65636#65636: *34 epoll add connection: fd:68 ev:80002005
2024/08/04 12:30:00 [debug] 65636#65636: *34 connect to 127.0.0.1:9433, fd:68 #35
2024/08/04 12:30:00 [debug] 65636#65636: *34 proxy connect: -2
2024/08/04 12:30:00 [debug] 65636#65636: *34 event timer add: 68: 5000:85921235
2024/08/04 12:30:00 [debug] 65636#65636: *34 delete posted event 0000598DEC5EB610
2024/08/04 12:30:00 [debug] 65636#65636: *34 recv: eof:0, avail:-1
2024/08/04 12:30:00 [debug] 65636#65636: *34 recv: fd:67 314 of 16384
2024/08/04 12:30:00 [debug] 65636#65636: *34 event timer del: 68: 85921235
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream proxy connect upstream
2024/08/04 12:30:00 [error] 65636#65636: *34 connect() failed (111: Connection refused) while proxying connection, client: 42.252.189.66, server: 0.0.0.0:443, upstream: "127.0.0.1:9433", bytes from/to client:314/0, bytes from/to upstream:0/0
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream proxy next upstream
2024/08/04 12:30:00 [debug] 65636#65636: *34 free rr peer 1 4
2024/08/04 12:30:00 [debug] 65636#65636: *34 finalize stream proxy: 502
2024/08/04 12:30:00 [debug] 65636#65636: *34 close stream proxy upstream connection: 68
2024/08/04 12:30:00 [debug] 65636#65636: *34 reusable connection: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 finalize stream session: 502
2024/08/04 12:30:00 [debug] 65636#65636: *34 stream log handler
2024/08/04 12:30:00 [debug] 65636#65636: *34 posix_memalign: 0000598DEC520D50:256 @16
2024/08/04 12:30:00 [debug] 65636#65636: *34 close stream connection: 67
2024/08/04 12:30:00 [debug] 65636#65636: *34 reusable connection: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC520BC0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC61B510
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC5208E0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC51C8D0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC52A7F0, unused: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC52C8D0, unused: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC52CAD0, unused: 8
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC52CCA0, unused: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC52C6D0, unused: 6
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC52C5C0, unused: 0
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC520AB0, unused: 2
2024/08/04 12:30:00 [debug] 65636#65636: *34 free: 0000598DEC520D50, unused: 56
Configuração
Estou usando a versão mais recente do nginx com o módulo stream.
$ nginx -v
nginx version: nginx/1.27.0
Com mais ou menos essa configuração.
$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
# multi_accept on;
}
http {
client_max_body_size 128M;
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 128;
server_names_hash_max_size 2048;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
stream {
log_format log_stream '$remote_addr [$time_local] $protocol [$ssl_preread_server_name] [$ssl_preread_alpn_protocols] '
'$status $bytes_sent $bytes_received $session_time';
error_log /var/log/nginx/stream.error.log debug;
access_log /var/log/nginx/stream.access.log log_stream;
map_hash_bucket_size 128;
map_hash_max_size 4096;
map $ssl_preread_server_name $target_backend {
enormousubdomainname.dm-ricks.com 127.0.0.1:9433;
enormousubdomainname.wordpress.com 127.0.0.1:9433;
enormousu-bdomainname.wordpress.com 127.0.0.1:9433;
wordpress.com 127.0.0.1:9443;
www.wordpress.com 127.0.0.1:9443;
crm.exemplexx.com 127.0.0.1:9443;
sd.wordpress.com 127.0.0.1:9443;
# ~*.dm\-ricks.com 127.0.0.1:9433;
# *.dm-ricks.com 127.0.0.1:9443;
}
server {
listen 443;
proxy_connect_timeout 5s;
proxy_timeout 5s;
# resolver 1.1.1.1;
proxy_pass $target_backend;
ssl_preread on;
}
}
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
# [default configuration]
# configuration file /etc/nginx/sites-enabled/crm.exemplexx.com:
upstream crm {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name crm.exemplexx.com;
location / {
proxy_pass http://crm;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Connection "";
}
}
# configuration file /etc/nginx/sites-enabled/wordpress.com:
upstream wordpress {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name wordpress.com www.wordpress.com;
location / {
proxy_pass http://wordpress;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Connection "";
}
}
# configuration file /etc/nginx/sites-enabled/sd.dm-ricks.com:
upstream sd {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name sd.dm-ricks.com;
location / {
proxy_pass http://sd;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Connection "";
}
}
# configuration file /etc/nginx/sites-enabled/enormousubdomainname.dm-ricks.com:
upstream enormousubdomainname {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name enormousubdomainname.dm-ricks.com;
location / {
proxy_pass http://enormousubdomainname;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Connection "";
}
}
[...]
``