V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
Niphor
V2EX  ›  问与答

反代了 Google,火狐访问提示"内容损坏错误"(v35,36b2)

  •  
  •   Niphor · 2015-01-22 03:10:23 +08:00 · 2294 次点击
    这是一个创建于 3632 天前的主题,其中的信息可能已经有所发展或是发生改变。
    昨天在VPS上搭了一下,用的StartSSL的免费证书

    nginx 为了偷懒直接使用的
    https://github.com/cuber/ngx_http_google_filter_module

    由于StartSSL默认有个non-www的域名,所以non-www的单独配了个vhost

    反代只监听了 server_name 是 www.xxx.xx:443 的域名

    现在问题来了,https://xxx.xx 在firefox里面是可以访问的,页面是可以看见的

    唯独反代的 https://www.xxx.xx 在火狐里直接显示`内容损坏错误`

    其它浏览器如UC、Chrome等都是正常的

    实在是想不到原因了,求帮忙解决下。

    ```
    # nginx -V
    nginx version: nginx/1.7.9
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC)
    TLS SNI support enabled
    ```

    ssl配置
    ```
    #SSL Certificate
    ssl_certificate /etc/nginx/certs/xxx.xx.crt;
    ssl_certificate_key /etc/nginx/certs/xxx.xx.key;
    #TLS only
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #SSL Session Cache
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    #OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/xxx.xx.crt;
    resolver 8.8.8.8;
    #Disable Beast Attacks
    ssl_prefer_server_ciphers on;
    #ssl_ciphers HIGH:!aNULL:!MD5:!DSS:!RC4;
    #Stronger DHE Parameters
    ssl_dhparam /etc/nginx/certs/dh.pem;
    #HSTS
    add_header Strict-Transport-Security "max-age=31536000";
    ```
    4 条回复    2015-01-22 14:51:34 +08:00
    luo362722353
        1
    luo362722353  
       2015-01-22 04:10:30 +08:00 via iPhone
    我贴一下我的demo,楼主你看看有没有互相学习的…我也是小白一枚

    sudo apt-get update && sudo apt-get upgrade
    sudo apt-get install libpcre3 libpcre3-dev zlib1g-dev libssl-dev build-essential git
    mkdir nginx && cd nginx
    wget http://nginx.org/download/nginx-1.7.9.tar.gz
    tar -xvf nginx-1.7.9.tar.gz
    git clone https://github.com/cuber/ngx_http_google_filter_module
    git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module
    cd nginx-1.7.9
    mkdir /var/tmp/nginx

    ./configure \
    --prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-client-body-temp-path=/var/tmp/nginx/client --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-scgi-temp-path=/var/tmp/nginx/scgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --with-http_ssl_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module \
    --add-module=/root/nginx/ngx_http_google_filter_module \
    --add-module=/root/nginx/ngx_http_substitutions_filter_module

    make && make install

    cd /etc/init.d/
    vi nginx

    #!/bin/sh

    ### BEGIN INIT INFO
    # Provides: nginx
    # Required-Start: $local_fs $remote_fs $network $syslog
    # Required-Stop: $local_fs $remote_fs $network $syslog
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: starts the nginx web server
    # Description: starts nginx using start-stop-daemon
    ### END INIT INFO

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/sbin/nginx
    NAME=nginx
    DESC=nginx

    # Include nginx defaults if available
    if [ -f /etc/default/nginx ]; then
    . /etc/default/nginx
    fi

    test -x $DAEMON || exit 0

    set -e

    . /lib/lsb/init-functions

    test_nginx_config() {
    if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
    return 0
    else
    $DAEMON -t $DAEMON_OPTS
    return $?
    fi
    }

    case "$1" in
    start)
    echo -n "Starting $DESC: "
    test_nginx_config
    # Check if the ULIMIT is set in /etc/default/nginx
    if [ -n "$ULIMIT" ]; then
    # Set the ulimits
    ulimit $ULIMIT
    fi
    start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
    --exec $DAEMON -- $DAEMON_OPTS || true
    echo "$NAME."
    ;;

    stop)
    echo -n "Stopping $DESC: "
    start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
    --exec $DAEMON || true
    echo "$NAME."
    ;;

    restart|force-reload)
    echo -n "Restarting $DESC: "
    start-stop-daemon --stop --quiet --pidfile \
    /var/run/$NAME.pid --exec $DAEMON || true
    sleep 1
    test_nginx_config
    # Check if the ULIMIT is set in /etc/default/nginx
    if [ -n "$ULIMIT" ]; then
    # Set the ulimits
    ulimit $ULIMIT
    fi
    start-stop-daemon --start --quiet --pidfile \
    /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
    echo "$NAME."
    ;;

    reload)
    echo -n "Reloading $DESC configuration: "
    test_nginx_config
    start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid \
    --exec $DAEMON || true
    echo "$NAME."
    ;;

    configtest|testconfig)
    echo -n "Testing $DESC configuration: "
    if test_nginx_config; then
    echo "$NAME."
    else
    exit $?
    fi
    ;;

    status)
    status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
    ;;
    *)
    echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
    exit 1
    ;;
    esac

    exit 0

    sudo chmod +x ./nginx
    sudo update-rc.d nginx defaults


    rm -rf /etc/nginx/nginx.conf
    vi /etc/nginx/nginx.conf

    worker_processes 4;
    pid /var/run/nginx.pid;

    events {
    worker_connections 768;
    }

    http {

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    proxy_temp_file_write_size 128k;
    proxy_temp_path /var/cache/nginx/temp;
    proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=cache_one:100m inactive=7d max_size=10g;

    gzip_static on;
    gzip on;
    gzip_disable "msie6";

    include /etc/nginx/sites-enabled/*;
    }

    mkdir -p /etc/nginx/sites-enabled
    mkdir -p /var/log/nginx
    mkdir -p /var/cache/nginx/cache
    mkdir -p /var/cache/nginx/temp

    nginx -t

    mkdir -p /root/ssl && cd /root/ssl
    vi domain.crt
    vi domain.key
    vi /etc/nginx/sites-enabled/google.conf


    server {
    listen 80;
    server_name xxx.pt www.xxx.pt;
    return 301 https://www.xxx.pt$request_uri;
    }

    server {
    listen 443 ssl;
    server_name xxx.pt www.xxx.pt;

    ssl on;
    ssl_certificate /root/ssl/xxx.pt.crt;
    ssl_certificate_key /root/ssl/xxx.pt.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
    keepalive_timeout 70;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    resolver 8.8.8.8;

    location / {
    google on;
    google_scholar on;
    google_robots_allow on;

    }
    }
    Niphor
        2
    Niphor  
    OP
       2015-01-22 10:32:31 +08:00
    @luo362722353 多谢回复
    我配置和你基本差不多,我直接用你的配置也不行。

    而且 error_log 开debug 也没任何信息...
    luo362722353
        3
    luo362722353  
       2015-01-22 12:14:36 +08:00 via iPhone
    @Niphor https://ibd.pt https://www.ibd.pt你看看,貌似没错啊
    Niphor
        4
    Niphor  
    OP
       2015-01-22 14:51:34 +08:00   ❤️ 1
    @luo362722353 我试了很多,最终发现好像是 spdy的原因
    ```
    listen 443 ssl spdy;
    ```

    反代的Google,在Firefox上不行,会报`内容损坏错误`,但是非反代的链接确是正常的,不会报错

    在Chrome上看,用的是spdy,又很正常
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2746 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 11:07 · PVG 19:07 · LAX 03:07 · JFK 06:07
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.