1Panel面板内网HTTPS自签名证书反向代理问题

uac · 2024 年6 月 16 日 05:25

在专业版v1.10.10-lts上创建了一个反向代理网站,反向代理内网一台HTTPS自签名证书的网站,openResty日志提示SSL证书错误
反向代理配置如下

location ^~ / {
    proxy_pass https://10.0.1.8; 
    proxy_set_header Host $host; 
    proxy_set_header X-Real-IP $remote_addr; 
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    proxy_set_header REMOTE-HOST $remote_addr; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection "upgrade"; 
    proxy_set_header X-Forwarded-Proto $scheme; 
    proxy_http_version 1.1; 
    add_header X-Cache $upstream_cache_status; 
    add_header Strict-Transport-Security "max-age=31536000"; 
    add_header Cache-Control no-cache; 
    proxy_max_temp_file_size 0;
}

站点配置如下

server {
    listen 80 ; 
    listen 443 ssl http2 ; 
    server_name nas.lhm12.cc office.lhm12.cc file.lhm12.cc cam.lhm12.cc mail.lhm12.cc cont.lhm12.cc; 
    index index.php index.html index.htm default.php default.htm default.html; 
    proxy_set_header Host $host; 
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    proxy_set_header X-Forwarded-Host $server_name; 
    proxy_set_header X-Real-IP $remote_addr; 
    proxy_http_version 1.1; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection "upgrade"; 
    access_log /www/sites/dsm/log/access.log main; 
    error_log /www/sites/dsm/log/error.log; 
    location ^~ /.well-known/acme-challenge {
        allow all; 
        root /usr/share/nginx/html; 
    }
    include /www/sites/dsm/proxy/*.conf; 
    if ($scheme = http) {
        return 301 https://$host$request_uri; 
    }
    ssl_certificate /www/sites/dsm/ssl/fullchain.pem; 
    ssl_certificate_key /www/sites/dsm/ssl/privkey.pem; 
    ssl_protocols TLSv1.3 TLSv1.2; 
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; 
    ssl_prefer_server_ciphers on; 
    ssl_session_cache shared:SSL:10m; 
    ssl_session_timeout 10m; 
    add_header Strict-Transport-Security "max-age=31536000"; 
    error_page 497 https://$host$request_uri; 
    proxy_set_header X-Forwarded-Proto https; 
    ssl_stapling on; 
    ssl_stapling_verify on; 
}

以下是站点日志

10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/taskbar/dist/dsm.taskbar.bundle.js?v=1661421011 HTTP/2.0" 304 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /synoSDSjslib/vendor.js?v=1654081517 HTTP/2.0" 304 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /synoSDSjslib/sds.js?v=1654081517 HTTP/2.0" 304 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/sds/dist/dsm.common.bundle.js?v=1661421011 HTTP/2.0" 304 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/desktop/dist/dsm.desktop.bundle.js?v=1661421011 HTTP/2.0" 444 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/sds/dist/dsm.sds.bundle.js?v=1661421011 HTTP/2.0" 444 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/login/dist/dsm.login.bundle.js?v=1661421011 HTTP/2.0" 444 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/entry/dist/dsm.entry.bundle.js?v=1661421011 HTTP/2.0" 444 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webapi/entry.cgi?api=SYNO.Core.Desktop.SessionData&version=1&method=getjs&launchApp=SYNO.SDS.App.FileStation3.Instance&SynoToken=&v=1656670912 HTTP/2.0" 200 699 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/3rdparty/FileBrowser/images/icon/FileStation_16.png HTTP/2.0" 444 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
10.0.0.11 - - [15/Jun/2024:23:52:50 +0800] "GET /webman/3rdparty/FileBrowser/images/icon/FileStation_16.png HTTP/2.0" 444 0 "https://file.lhm12.cc/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"

以下是openresty日志

2024/06/16 12:32:38 [error] 258#258: *47919 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.7, server: 0.0.0.0:443
2024/06/16 12:32:39 [error] 258#258: *47922 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.7, server: 0.0.0.0:443
2024/06/16 12:32:39 [error] 258#258: *47923 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.7, server: 0.0.0.0:443
2024/06/16 13:21:30 [error] 258#258: *50854 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:30 [error] 258#258: *50855 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:32 [error] 258#258: *50858 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:32 [error] 258#258: *50859 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:34 [error] 258#258: *50862 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:34 [error] 258#258: *50863 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:48 [error] 258#258: *50878 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:48 [error] 258#258: *50879 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:49 [error] 258#258: *50880 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443
2024/06/16 13:21:49 [error] 258#258: *50881 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443

产品建议
1panel的OpenResty容器目前好像没发现有能导入自签名CA的功能.,希望能添加一个在OpenResty容器中导入自签名证书的功能

1Panel-huiwan · 2024 年6 月 16 日 11:52

444 是被拉黑了
报错的话把任意网站设置为默认网站即可

uac · 2024 年6 月 17 日 06:14

找到444的问题了,网站WAF访问限制导致的,但是这个自签名证书问题怎么搞?

2024/06/16 13:21:30 [error] 258#258: *50855 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.0.0.11, server: 0.0.0.0:443

1Panel-huiwan · 2024 年6 月 17 日 14:09

看一下这里