我有Nginx letsencrypt ssl证书,它适用于所有新的iOS和Safari.它适用于iPhone 4,但是iPhone 5和更新版本没有.
我在Nginx日志中看到多个请求:
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; cpu iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5999 "REFERER" "Mozilla/5.0 (iPhone; cpu iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 200 5998 "REFERER" "Mozilla/5.0 (iPhone; cpu iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
...
and ends with 499 code
IPADDRESS - - [03/Dec/2016:10:08:08 +0000] "GET / HTTP/2.0" 499 5998 "-" "Mozilla/5.0 (iPhone; cpu iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
Safari浏览器中的空白页面.
HTTP部分ngixn配置:
##
# SSL Settings
##
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3,ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_dhparam /etc/Nginx/ssl/dhparams.pem;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
域的SERVER部分:
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
location / {
proxy_pass http://localhost:40011/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Nginx与Apache 2.4.23一起使用
PHP
SetEnvIf X-Forwarded-Proto https HTTPS=on
Apache日志包含相同的请求:
127.0.0.1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; cpu OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
::1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; cpu OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
127.0.0.1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6122 "-" "Mozilla/5.0 (iPhone; cpu OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
::1 - - [05/Dec/2016:14:36:00 +0000] "GET / HTTP/1.0" 200 6121 "-" "Mozilla/5.0 (iPhone; cpu OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML,like Gecko) Version/10.0 Mobile/14B100 Safari/602.1"
…仍然是Safari中的空白页面.
最佳答案
这似乎不是SSL(或让我们加密)的问题.事实上,请求显示在您的日志文件中证明请求通过正常(SSL握手在实际请求到达服务器之前完成).
Nginx http 499的一点点Google搜索显示Nginx使用此(非官方)返回代码到indicate that the client closed the connection before nginx was able to send an answer.
最可能的原因是服务器上的脚本需要很长时间才能运行,客户端认为连接超时并关闭连接.这可以通过减少允许脚本运行的时间来“解决”(如果Nginx支持这一点,我知道可以使用apache).当然,这并不能解决实际问题,它只会更改错误代码并将其报告给客户端.
如果原因是长时间运行的脚本,则必须在服务器端调试脚本以确定它的哪个部分需要这么长时间.
客户端是移动设备的另一种可能性是,它只是一个错误的连接,导致连接被丢弃.