Hits: 17

通过frp内网穿透访问网站;

nginx反向代理,safari无法访问网站

群晖Nginx错误log文件  /var/log/nginx/error.log

重启 nginx 代码:sudo synoservicecfg --restart nginx

原始配置文件位置  /usr/syno/share/nginx

QNAP  /etc/config/apache/apache.conf

查看apache版本:  /usr/local/apache/bin/apache -v 或  /usr/local/apache/bin/apachectl -v

http://nginx.org/en/docs/http/ngx_http_proxy_module.html     Module ngx_http_proxy_module

 

网站通过nginx,safari 访问提示:

  1. 浏览器无法打开页面,错误是:"未能完成该操作,协议错误"
    (nsposixerrordomain:100)
  2. 浏览器无法打开页面,因为无法与服务器建立安全连接

网站通过nginx,safari访问静态网页没有问题;

网站不通过nginx,safari也可以访问;

估计出问题再nginx上(待验证)

 

https://www.jianshu.com/p/ec66b9f85778    nginx反向代理,safari无法访问网站(HTTP/2.0请求超时)的解决办法。

https://blog.csdn.net/wangzan18/article/details/105514708   NSPOSIXErrorDomain:100 错误

https://jingyan.baidu.com/article/ca00d56c01f549e99eebcffa.html   如何修复“Error NSPOSIXErrorDomain”

未能完成该操作。协议错误 (NSPOSIXErrorDomain Code=100)

有些也是nginx反向代理的网站,访问是没有问题的;应该出在本身的网站上?

如下没有效果

In some cases it was only necessary to add a line in htaccess

Header unset Upgrade

https://www.jianshu.com/p/0f0f6dcef451

通知服务端的小伙伴禁止 HTTP 2.0,不知道怎么操作

修改 nginx proxy配置中 proxy_hide_header 成 Upgrade (待验证)

proxy_hide_header Upgrade

https://bz.apache.org/bugzilla/show_bug.cgi?id=59311    Do not send "Upgrade: h2" header to HTTP/1.1 clients when SSL/TLS is used

https://www.nginx.cn/5595.html           nginx反向代理群晖

/etc/nginx/proxy.conf  增加proxy_hide_header Upgrade,没有效果;

/usr/syno/share/nginx# vi Portal.mustache,在proxy_http_version 1.1;后面增加(双引号是不需要的)"proxy_hide_header Upgrade;",重启sudo synoservicecfg --restart nginx;使用nginx -T查看,proxy_hide_header Upgrade增加进去了,但是还是不行;

这样改,不从frp通道打开网站是可以的;(貌似重启网站服务器就可以了,悟到一个道理,重启能解决的问题,就不要花时间去研究)

/usr/local/etc/nginx/conf.d/main.conf 增加proxy_hide_header Upgrade,会引起NAS系统错误;NAS开机后提示“由于 DSM 遭遇问题,无法正常启动。请联络 Synology 支持小组以获得帮助。”
/var/log/nginx/error.log 显示:"proxy_hide_header" directive is not allowed here in /etc/nginx/conf.d/main.conf:1

Nginx基础入门之proxy反向代理常用配置项说明

ssh:curl -v --http2 --head https://10001blog.xslinc.com

有个错误提示:curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

不走nginx ,curl -v --http2 --head https://192.168.31.222:xxxx;没有错误提示

https://kiwenlau.com/2019/10/28/speedup-fundebug-by-using-http2/

https://ipv6.ustc.edu.cn/                网站HTTP、HTTPS、HTTP/2支持情况

ios客户端访问默认http2,并且请求接口为post请求.根据如下定位了nginx版本对ios客户端的bug。

原因:(

为了减少网络时延,不少 HTTP/2 客户端会在建立 HTTP/2 连接时同时发送其它帧,包括用来 POST 数据的 DATA 帧。
而 Nginx 在客户端接受到 SETTINGS 帧之前,一直将初始窗口大小(initial window size)设置为 0。
也就是说,客户端收到 SETTINGS 帧之前发送的 DATA 帧,会被 Nginx 以 REFUSED_STREAM 帧拒绝。而部分客户端在收到 REFUSED_STREAM 帧之后,
会提示连接失败,而不是发起重试,这就是产生 Bug 的原因。

google chrome - F12 - Network

 

https://help.poralix.com/articles/iphone-does-not-open-https-site-safari-nsposixerrordomain

https://megamorf.gitlab.io/2019/08/27/safari-nsposixerrordomain-100-error-with-nginx-and-apache.html     Safari NSPOSIXErrorDomain:100 error with nginx and Apache (说得比较透)

在Macz主机上调试:发现http2是有问题的; curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
xie3fadeMac:~ xie3fa$ curl -v --http2 --head https://10001blog.xslinc.com
* Rebuilt URL to: https://10001blog.xslinc.com/
* Trying 107.150.121.176...
* TCP_NODELAY set
* Connected to 10001blog.xslinc.com (107.150.121.176) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.xie3fa.top
* start date: Jun 27 14:55:12 2020 GMT
* expire date: Sep 25 14:55:12 2020 GMT
* subjectAltName: host "10001blog.xslinc.com" matched cert's "*.xslinc.com"
* issuer: C=US; O=Let'
s Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe7d200a200)
> HEAD / HTTP/2
> Host: 10001blog.xslinc.com
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2]
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

http1.1没有问题;  Connection #0 to host 10001blog.xslinc.com left intact

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
xie3fadeMac:~ xie3fa$ curl -v --http1.1 --head https://10001blog.xslinc.com
* Rebuilt URL to: https://10001blog.xslinc.com/
* Trying 107.150.121.176...
* TCP_NODELAY set
* Connected to 10001blog.xslinc.com (107.150.121.176) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.xie3fa.top
* start date: Jun 27 14:55:12 2020 GMT
* expire date: Sep 25 14:55:12 2020 GMT
* subjectAltName: host "10001blog.xslinc.com" matched cert's "*.xslinc.com"
* issuer: C=US; O=Let'
s Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: 10001blog.xslinc.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Mon, 29 Jun 2020 16:53:39 GMT
Date: Mon, 29 Jun 2020 16:53:39 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=20
Keep-Alive: timeout=20
< Link: <https://10001blog.xslinc.com/index.php?rest_route=/>; rel="https://api.w.org/"
Link: <https://10001blog.xslinc.com/index.php?rest_route=/>; rel="https://api.w.org/"
< Upgrade: h2
Upgrade: h2
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Strict-Transport-Security: max-age=15768000; includeSubdomains; preload
Strict-Transport-Security: max-age=15768000; includeSubdomains; preload

<
* Connection #0 to host 10001blog.xslinc.com left intact

 

curl版本;

1
2
3
4
5
xie3fadeMac:~ xie3fa$ curl -V
curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy
xie3fadeMac:~ xie3fa$

 

对对对