請教網友:
架構如下:
InterNet --> Firewall ----> Nginx ------> Web (tomcat)
(nat loopback) (reverse proxy)
|<----------- User
內網 User to nginx (Firewall 有設 nat loopback)
網址: https://eshop.tej.com.tw
但網頁都會出現 ERR_CONNECTION_TIMED_OUT
nginx 設定如下:
server {
listen 80;
server_name eshop.tej.com.tw; #change to your domain name
return 301 https://eshop.tej.com.tw$request_uri;
server_tokens off;
}
server {
listen 443 ssl;
resolver 8.8.4.4 valid=3600s;
server_name eshop.tej.com.tw; #change to your domain name
server_tokens off;
ssl_certificate /etc/nginx/tej/domaincert.cer;
ssl_certificate_key /etc/nginx/tej/server.key;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; preload";
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://10.10.10.77:8080/E-Shop; #change to your internal server IP
# proxy_redirect off;
}
}
不知如何解? 敬請有經驗網友提供意見.
謝謝!
終於找到問題了?
因為 /etc/sysctl.conf 中核心參數啟用了 net.ipv4.tcp_tw_recycle = 1
要將其設為 net.ipv4.tcp_tw_recycle = 0
網址出處: https://www.gushiciku.cn/pl/pZqM/zh-tw
舉個例子,如果伺服器記錄了 10.10.10.10 這個機器發過來最新的資料包是 10:41 那麼如果從 10.10.10.10 過來資料包是這個時間之前是話,這個包將會被拒絕。那麼好奇的讀者又會問,這個包不應該是遞增的嗎?通常應該不會有問題,是這樣,但如果是 NAT 的環境,你很難保障後端所有的機器的時鐘是同步的,那麼就會出現部分資料包被服務端拒絕的情況。所以這個引數請謹慎使用,不建議開啟!!!
已邀請的邦友 {{ invite_list.length }}/5
iThome鐵人賽
看影片追技術