代码之家 › 专栏 › 技术社区 › Matrix

连接建立中的rails电缆错误:net::ERR_SSL_PROTOCOL_错误

actioncable openssl websocket nginx ruby-on-rails

Matrix · 技术社区 · 4 年前

我有一个rails 6应用程序,带有/cable websocket和nginx反向代理

我将相同的配置放在另一台服务器上(工作正常):

在生产中。rb

config.action_cable.url                     = 'wss://domain.fr:8001/cable'
config.action_cable.allowed_request_origins = ['https://domain.fr', 'http://domain.fr']
config.action_cable.mount_path              = '/cable'

路线:

mount ActionCable.server => '/cable'

在JS中:

ActionCable.createConsumer 'wss://domain.fr:8001/cable'

在代理中:

 server {
    listen   443 ssl http2;
    server_name domain.fr;

    if ($host ~ '^www\.') { return 301 https://domain.fr$request_uri; }

    ssl_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.fr/privkey.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /home/liberty/dhparams.pem;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header  X-Forwarded-Ssl on; # Optional
    proxy_set_header  X-Forwarded-Port $server_port;
    proxy_set_header  X-Forwarded-Host $host;


    location / {
            proxy_pass         http://127.0.0.1:90;
    }

    location /cable {
            proxy_pass         http://127.0.0.1:8001;
    }


    access_log  /var/log/rsh_proxy.access.log;
    error_log  /var/log/rsh_proxy.error.log;

    location ~*^.+(swf|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
        proxy_pass http://127.0.0.1:90;
        proxy_cache cache;
        proxy_cache_valid 9999d;
        expires max;
    }
}

在vhost中:

server {
    listen 8001 default_server;
    listen [::]:8001 default_server ipv6only=on;
    server_name domain.fr;
    root /var/www/domain/public;
    passenger_enabled on;
    passenger_app_group_name MYAPP_action_cable;
    passenger_app_type rack;
    passenger_startup_file cable/config.ru;
    passenger_force_max_concurrent_requests_per_process 0;

    access_log  /var/log/rsh_cable.access.log combined;
    error_log  /var/log/rsh_cable.error.log;
}

我尝试重新启动nginx,但没有什么新功能

chrome控制台中的错误:

WebSocket连接到'wss://domain.fr:8001/cable'失败:建立连接时出错:net::ERR_SSL_PROTOCOL_错误

PS:防火墙中的端口处于打开状态;)

编辑:登录/var/log/rsh_电缆示例。通道日志:

37.170.142.84 - - [29/Jul/2020:02:34:13 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x9F\x19\x1E\xA7\x96\xDBC\x98\x92\xCC.<S\xBC\x02\x04Jd\xB4M\x03uK\xA8\x1D\xEE\x0B\x96\xA2]\x1A\xD6 \x08\x1C\xC73/f\x8CaA\xFD/\xAA\xFE\xC1\xCB\x9A+\x9A(8)\xD7\xE1\xB8nR\x15!\x99\xD4^\xEA\x00\x22\x9A\x9A\x13\x03\x13\x01\x13\x02\xCC\xA9\xCC\xA8\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:17 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:32 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03Y\xBD\x08i\x1D\x9C\x83{\x0B\xE3\x9E\x02P\x99\xBDJ@\xD5\xFB50\x17 T\x10\xB3\x09O\xFA9\x07: \xEE\x1A\xE9x\xC3oI\xE1\xB7b\x5C\xD3\xF8\xE1\x03\xF0\x86(\xAB\xB1\xB9\xEA=d\x19\xB0ul\x8D\xF0\xED\x8B\x00 \xDA\xDA\x13\x03\x13\x01\x13\x02\xCC\xA9\xCC\xA8\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x93\x9A\x9A\x00\x00\x00\x00\x00\x0E\x00\x0C\x00\x00\x09domain.fr\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:32 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xA30O\xF7\xF0\x09" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:54 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x97\x04b" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:54 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xEAx\x19\x0Bg\xEB:E\x13x\x87WVd\xD4\xCFXA-\xD4\x09v\x17\xCC\xA4x\x19xP\xCA\xAB\xD8 )\x07+\xF4\xFA=U\xB1z\xDE\xD9\x1D\x11\xCFE\xF3\x97/\xC1y!\xE7u\xE68@&\xD7\xCF\xEB\xB5\x90\x00 JJ\x13\x03\x13\x01\x13\x02\xCC\xA9\xCC\xA8\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x93JJ\x00\x00\x00\x00\x00\x0E\x00\x0C\x00\x00\x09domain.fr\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 157 "-" "-"

0 回复 | 直到 4 年前

Vasfed 4 年前

在配置中,您应该指定最终用户可以访问的最终actioncable url。

因为您使用的是额外的代理,所以 wss://www.domain.fr/cable ,并且您的端口8001应该在防火墙中关闭,除了代理,因为它不是ssl终止的(因此出现ssl错误)

还要确保http 1.1使用必要的头正确代理:

location /cable {
  proxy_pass         http://127.0.0.1:8001;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";

  # not always needed, but in some setups can be necessary:
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-By    $server_addr:$server_port;
  proxy_set_header X-Real-IP         $remote_addr;
}