哪吒探针V1版本,使用openresty反代到应用商店的哪吒探针无法正常让agent开启TLS使用443连接面板

1Panel
,
1

哪吒探针V1版本,使用openresty反代到应用商店的哪吒探针无法正常让agent开启TLS使用443连接面板
WAF似乎会把流量掐掉,触发奇怪的规则直接让agent出现请求499,无法挂载,使用HTTP,IP+端口直接连接没有问题。后面尝试自己写配置不走WAF被控机就能正常使用TLS连接面板

这个问题能修复一下吗?

2

你先试一下关闭 WAF,但是用 1Panel 提供的反代会不会有问题

3

改成这个配置就没问题了

server {
listen 80;
listen 443 ssl;
http2 on;

# --- 1. 正式域名 ---
server_name xxxxxxxxxxxxxxxxxx;

# --- 2. 正式环境证书路径 (1Panel 标准路径) ---
ssl_certificate /www/sites/xxxxxxxxxxxxxxxxxxx/ssl/fullchain.pem;
ssl_certificate_key /www/sites/xxxxxxxxxxxxxxxxx/ssl/privkey.pem;

# --- SSL 加密套件 ---
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers off;

# --- 关键设置 (Agent认证 & 修复断连) ---
underscores_in_headers on;  # 必须开启
client_max_body_size 0;     # 允许大文件

# 延长超时至 1 小时,解决 "Oops" 和 SSH 断连
proxy_read_timeout 3600s;
client_header_timeout 3600s;
client_body_timeout 3600s;

# --- 3. 正式环境日志路径 ---
access_log /www/sites/xxxxxxxxxxxxxxxxxxx/log/access.log main;
error_log /www/sites/xxxxxxxxxxxxxxxxxxx/log/error.log;

if ($scheme = http) {
    return 301 https://$host$request_uri;
}

# =========================================================
# 区域 1: Agent gRPC 接口 (WAF 绕过)
# =========================================================
location ^~ /proto.NezhaService/ {
    # 既然测试版验证过这个 Lua 写法没问题,正式版继续保留
    access_by_lua_block {
        ngx.exit(ngx.OK)
    }

    grpc_pass grpc://127.0.0.1:8006;
    
    grpc_set_header Host $host;
    grpc_set_header nz-realip $remote_addr;
    grpc_read_timeout 3600s;
    grpc_send_timeout 3600s;
    grpc_socket_keepalive on;
}

# =========================================================
# 区域 2: WebSocket (SSH/Web终端)
# =========================================================
location ~* ^/api/v1/ws/ {
    access_by_lua_block {
        ngx.exit(ngx.OK)
    }

    proxy_pass http://127.0.0.1:8006;
    
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header nz-realip $remote_addr;
    proxy_set_header X-Real-IP $remote_addr;
    
    proxy_buffering off;
}

# =========================================================
# 区域 3: 网页 Dashboard
# =========================================================
location / {
    proxy_pass http://127.0.0.1:8006;
    
    proxy_set_header Host $host;
    proxy_set_header nz-realip $remote_addr;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # 保持连接,防止 Oops
    proxy_http_version 1.1;
    proxy_set_header Connection "";
}

# 静态资源验证
location ^~ /.well-known/acme-challenge {
    allow all;
    root /usr/share/nginx/html;
}

}

4

IP xxx.xxx.xxx.xxx
时间 2026-01-07 19:48:55
响应流量 8.08 KB
响应时间 2毫秒
来源
HOST example.domain.com
请求类型 POST
状态码 404
User-Agent grpc-go/1.76.0
URL /proto.NezhaService/ReportSystemInfo2
远程端口 33786