error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:322:

通过docker 部署nginx-1.27.4,代理emqx集群负载均衡,容器启动成功,但通过MQTTX客户端连接失败,通过openssl命令openssl s_client -connect 127.0.0.1:8884 -tls1_3 -debug,提示ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:322:,nginx配置如下:


user root;
worker_processes auto;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
	worker_connections 1024;
}

stream{

       #emqx ssl
       upstream mqtt_servers {
                server XXX-emqx-node1:1883;
                server XXX-emqx-node2:1883;
       }
       #emqx websocket ssl
       upstream mqtt_websocket_servers {
                server XXX-emqx-node1:8083;
                server XXX-emqx-node2:8083;
       }
       server {
        		listen 8884 ;
        		#charset koi8-r;
        		#access_log  logs/host.access.log  main;
        		proxy_buffer_size 4k;
                ssl_handshake_timeout 15s;
                ssl_session_cache shared:SSL:10m;
                ssl_session_timeout 10m;
        		ssl_certificate /home/nginx/https/mqtt/server.pem;
        		ssl_certificate_key /home/nginx/https/mqtt/server.key;
                ssl_protocols  TLSv1.3;
		        ssl_prefer_server_ciphers on;
		        ssl_ciphers 'EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5';

                proxy_pass mqtt_servers;

                # 启用此项时,对应后端监听器也需要启用 proxy_protocol
                #proxy_protocol on;
                proxy_connect_timeout 10s;
                # 默认心跳时间为 10 分钟
                proxy_timeout 1800s;
                tcp_nodelay on;
       }

	   server {
                listen 8085 ssl;
                proxy_buffer_size 4k;
                ssl_handshake_timeout 15s;
                ssl_session_cache shared:SSL:10m;
                ssl_session_timeout 10m; 
                ssl_certificate /home/nginx/https/mqtt/server.pem;
                ssl_certificate_key /home/nginx/https/mqtt/server.key;
                ssl_protocols  TLSv1.3;
                ssl_prefer_server_ciphers on;
                ssl_ciphers 'EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5';

                # 添加 CA 证书及开启验证客户端证书参数即可启用双向认证
                # ssl_client_certificate /usr/local/NGINX/certs/ca.pem;
                # ssl_verify_client on;

                proxy_pass mqtt_websocket_servers;

                # 启用此项时,对应后端监听器也需要启用 proxy_protocol
                #proxy_protocol on;
                proxy_connect_timeout 10s;
                # 默认心跳时间为 10 分钟
                proxy_timeout 1800s;
                tcp_nodelay on;
       }

    }

http {
	include       mime.types;
	default_type  application/octet-stream;
	client_max_body_size 1024m;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#                  '$status $body_bytes_sent "$http_referer" '
	#                  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile        on;
	#tcp_nopush     on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	server {
        client_max_body_size 1024m;
        listen       443 ssl;
        server_name  api.xxx.xxx.com;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

		ssl_certificate /home/nginx/https/api/server.pem; # 证书文件路径
		ssl_certificate_key /home/nginx/https/api/server.key; # 私钥文件路径

		ssl_protocols TLSv1.2 TLSv1.3; # 推荐的TLS协议
		ssl_prefer_server_ciphers on;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384';

		 # knife4j反向代理
        location /prod/ {
            #rewrite ^/prod-api(.*)$ $1 break; #去除prod-api这层目录
			proxy_pass http://xxx-gateway:9001/prod/;
            proxy_set_header    Host                $http_host;
			proxy_set_header    X-Real-IP           $realip_remote_addr;
			proxy_set_header    X-Forwarded-Proto   $scheme;
			proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
			proxy_connect_timeout 60;
			proxy_send_timeout 60;
			proxy_read_timeout 60;
			send_timeout 60;

			add_header Cache-Control no-cache;
			# 不缓存,支持流式输出
			proxy_cache off;  # 关闭缓存
			proxy_buffering off;  # 关闭代理缓冲
			chunked_transfer_encoding on;  # 开启分块传输编码
			tcp_nopush on;  # 开启TCP NOPUSH选项,禁止Nagle算法
			tcp_nodelay on;  # 开启TCP NODELAY选项,禁止延迟ACK算法
			keepalive_timeout 300;  # 设定keep-alive超时时间为65秒
			#
			# #防止跨域问题
			add_header 'Access-Control-Allow-Origin' '*' always;
			add_header 'Access-Control-Allow-Credentials' 'true';
			add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
			add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
         }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

}
1 Like

Moving to the Troubleshooting category.

1 Like

Heya! This is an English speaking forum so if you want help please consider translating the post.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.