我有 nginx+letsencrypt ssl 证书,它适用于除带有 Safari 的新 iOS 之外的所有设备。它在 iPhone 4 上运行良好,但在 iPhone 5 和更新版本上却不行。
我在 nginx 日志中看到多个请求:
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
...
and ends with 499 code
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 499 5998 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
和 Safari 浏览器中的空白页面。
HTTP 部分 ngixn 配置:
##
# SSL Settings
##
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
域的 SERVER 部分:
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
location / {
proxy_pass http://localhost:40011/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Nginx 与 Apache 2.4.23 一起使用
<VirtualHost localhost:40011>
Protocols h2 http/1.1
AddDefaultCharset UTF-8
ServerName localhost
ServerAdmin [email protected]
DocumentRoot /var/www/domain.com/public
DirectoryIndex index.php
SetEnvIf X-Forwarded-Proto https HTTPS=on
<Directory /var/www/domain.com/public>
Order Allow,Deny
Allow From All
AllowOverride None
Options FollowSymLinks
</Directory>
</VirtualHost>
Apache 日志包含相同的请求:
127.0.0.1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
::1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
127.0.0.1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
::1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6121 "-" "Mozilla/5.0 (iPhone; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
...在 Safari 中仍然是空白页。
这似乎不是 SSL(或 Let's encrypt)的问题。请求显示在您的日志文件中的事实证明请求顺利通过(SSL 握手在实际请求到达服务器之前完成)。
谷歌搜索
nginx http 499表明 nginx 使用此(非官方)返回代码来指示客户端在 nginx 能够发送 answer 之前关闭了连接。最可能的原因是服务器上的脚本运行时间过长,以至于客户端认为连接超时并关闭连接。这可以通过减少允许脚本运行的时间来“解决”(如果 nginx 支持这一点,我知道使用 apache 是可能的)。当然这并不能解决实际问题,它只是更改错误代码并将其报告给客户端。
如果原因是一个长时间运行的脚本,您将不得不在服务器端调试脚本以确定它的哪一部分需要这么长时间。
客户端是移动设备的另一种可能性可能是它只是一个错误的连接导致连接被丢弃。
Nginx 无法通过 h2 协议代理到 Apache:
删除这条线解决了问题,但我仍然不明白为什么它只发生在 iOS 10 设备上。
现在在 iOS 12 上面临相同/类似的问题,使用 http2 启用了 nginx 1.16.0 代理到 apache。解决方法是在 nginx 上禁用 http2,此处描述了正确的解决方案https://trac.nginx.org/nginx/ticket/915或https://trac.nginx.org/nginx/ticket/1150 - 添加
proxy_hide_header Upgrade;将解决该问题. 使用 Upgrade 标头(可能仅),iOS 无法处理“协议升级请求”以及该请求已经在 http2 中。apache 2.4 和 mod_proxy 上的相同代理可以正常工作,因为默认情况下此标头不会转发给客户端。