问题描述
系统环境:
- 操作系统:Ubuntu 24.04
- 内核版本:6.8.0-64-generic
- 系统架构:x86_64
- 面板版本:1Panel专业版 v2.0.5
问题现象: 您在使用哪吒监控面板时配置了域名反向代理,出现以下情况:
- WAF关闭时:功能正常
- WAF全局开启时:出现异常
- 即使关闭对应网站或取消所有WAF配置项,问题仍然存在
主要异常: 访问日志中出现大量499错误码。
去除敏感IP信息后的访问日志示例:
[IP1] - - [25/Jul/2025:03:30:45 +0000] "POST /proto.NezhaService/ReportSystemInfo2 HTTP/2.0" 200 0 "-" "grpc-go/1.72.2" "-"
[IP2] - - [25/Jul/2025:03:30:50 +0000] "POST /proto.NezhaService/ReportSystemInfo2 HTTP/2.0" 200 0 "-" "grpc-go/1.72.2" "-"
[IP3] - - [25/Jul/2025:03:30:50 +0000] "POST /proto.NezhaService/ReportSystemInfo2 HTTP/2.0" 200 11 "-" "grpc-go/1.72.2" "-"
[IP1] - - [25/Jul/2025:03:31:00 +0000] "POST /proto.NezhaService/ReportSystemState HTTP/2.0" 499 0 "-" "grpc-go/1.72.2" "-"
[IP3] - - [25/Jul/2025:03:31:00 +0000] "POST /proto.NezhaService/RequestTask HTTP/2.0" 499 0 "-" "grpc-go/1.72.2" "-"
核心问题: 哪吒监控的gRPC通信(使用grpc-go/1.72.2客户端)在WAF开启后出现连接中断,导致499错误,影响监控数据的正常上报和任务请求。
网站反代配置如下(已隐藏敏感信息)
server {
listen 80;
listen 443 ssl;
http2 on;
server_name your-domain.com; # 替换为你的域名
ssl_stapling on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.3 TLSv1.2;
underscores_in_headers on;
access_log /var/log/nginx/your-site/access.log main;
error_log /var/log/nginx/your-site/error.log;
# grpc 相关
location ^~ /proto.NezhaService/ {
grpc_set_header Host $host;
grpc_set_header nz-realip $remote_addr; # 如果你使用nginx作为最外层,就把上面一行注释掉,启用此行
grpc_read_timeout 600s;
grpc_send_timeout 600s;
grpc_socket_keepalive on;
client_max_body_size 10m;
grpc_buffer_size 4m;
grpc_pass grpc://dashboard;
}
# websocket 相关
location ~* ^/api/v1/ws/(server|terminal|file)(.*)$ {
proxy_set_header Host $host;
proxy_set_header nz-realip $remote_addr; # 如果你使用nginx作为最外层,就把上面一行注释掉,启用此行
proxy_set_header Origin https://$host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_pass http://127.0.0.1:8008;
}
# web
location / {
proxy_set_header Host $host;
proxy_set_header nz-realip $remote_addr; # 如果你使用nginx作为最外层,就把上面一行注释掉,启用此行
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:8008;
}
if ($scheme = http) {
return 301 https://$host$request_uri;
}
ssl_certificate /path/to/ssl/fullchain.pem;
ssl_certificate_key /path/to/ssl/privkey.pem;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers off;
error_page 497 https://$host$request_uri;
proxy_set_header X-Forwarded-Proto https;
add_header Strict-Transport-Security "max-age=31536000";
}
upstream dashboard {
keepalive 512;
server 127.0.0.1:8008;
}
OpenResty配置如下
user root;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
error_log /dev/stdout notice;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 5120;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
# 日志格式配置 - 保持原有配置
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
access_log /dev/stdout main;
# 基础安全和性能配置 - 保持原有配置
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# 服务器名字hash表大小 - 修改:从512增加到128(根据优化建议调整)
server_names_hash_bucket_size 128;
# 客户端请求头缓冲区配置 - 保持原有 + 新增large_client_header_buffers
client_header_buffer_size 32k;
# 新增:大客户端请求头缓冲区配置,处理较大的请求头
large_client_header_buffers 4 32k;
# 客户端请求主体最大允许大小 - 修改:从50m减少到32m(根据优化建议调整)
client_max_body_size 32m;
# 长连接配置 - 保持原有配置
keepalive_timeout 60;
keepalive_requests 100;
# Gzip压缩配置 - 优化配置
gzip on;
gzip_min_length 1k; # 保持原有配置
gzip_buffers 4 16k; # 保持原有配置
gzip_http_version 1.1; # 保持原有配置
# 修改:压缩级别从2提高到6,提供更好的压缩率
gzip_comp_level 6;
# 修改:扩展压缩文件类型,新增application/json和application/x-httpd-php
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/json application/x-httpd-php;
gzip_vary on; # 保持原有配置
# 修改:从特定条件改为any,对所有代理请求启用压缩
gzip_proxied any;
# 修改:更新IE6禁用规则,使用更简洁的表达方式
gzip_disable "msie6";
# 连接限制配置 - 保持原有配置
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
# 包含其他配置文件 - 保持原有配置
include /usr/local/openresty/nginx/conf/conf.d/*.conf;
include /usr/local/openresty/nginx/conf/default/*.conf;
include /usr/local/openresty/1pwaf/data/conf/waf.conf;
}
