Record a process of handling incorrect https snooping 01/19 Update SLTechnology News&Howtos

Record a process of handling incorrect https snooping

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

Today, developer feedback encountered this phenomenon when testing Kingsoft Cloud devices:

Wget https://funchlscdn.lechange.cn/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8-- 2017-07-26 11 wget wget 26-https://funchlscdn.lechange.cn/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8 Resolving funchlscdn.lechange.cn... 120.92.158.134 Connecting to funchlscdn.lechange.cn | 120.92.158.134 |: 443. Connected. OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection.

The error of "error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol" is caused when a https request is sent to a service that provides only http.

# ping funchlscdn.lechange.cn. After obtaining the IP corresponding to this domain name, return to the console of Jinshanyun and find that this IP is a load balancer. However, when this load balancer is configured, it is http protocol for port 80 and http protocol for port 443.Then it is changed to https. After retesting, the error is found to be like this:

[root@js-develop] # wget https://funchlscdn.lechange.cn/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8-- 2017-07-26 1614 08Rose 15muri-https://funchlscdn.lechange.cn/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8Resolving funchlscdn.lechange.cn... 120.92.158.134Connecting to funchlscdn.lechange.cn | 120.92.158.134 |: 443. Connected.HTTP request sent, awaiting response... 502 Bad Gateway2017-07-26 16:08:15 ERROR 502: Bad Gateway.

The effect of opening in the browser is as shown in the figure:

502 Bad Gateway

The proxy server received an invalid response from an upstream server.

_____

KSYUN ELB 1.0.0

At the same time, it is found that the 8000 health check for nginx in Jinshan Cloud load balancer is "abnormal". However, it is possible to use http access, and the results are as follows:

[root@js-develop] # wget http://funchlscdn.lechange.cn/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8-- 2017-07-26 15 root@js-develop 31 root@js-develop 55 http://funchlscdn.lechange.cn/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8Resolving funchlscdn.lechange.cn... 120.92.158.134Connecting to funchlscdn.lechange.cn | 120.92.158.134 |: 80. Connected.HTTP request sent, awaiting response... 302 FoundLocation: http://120.92.133.76:8090/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8 [following]-- 2017-07-26 15-31 FoundLocation 55-http://120.92.133.76:8090/LCLR/2K02135PAK01979/0/0/20170726085033/dev_20170726085033_lpxh73ezzb92xxa8.m3u8Connecting to 120.92.133.76-8090 Connected.HTTP request sent, awaiting response... 200 OKLength: 66 [application/x-mpegURL] Saving to: "dev_20170726085033_lpxh73ezzb92xxa8.m3u8" 100% [= >] 66 -.-Khand's in 0s 2017-07-26 15:31:55 (3.02 MB/s)-"dev_20170726085033_lpxh73ezzb92xxa8.m3u8" saved [66max]

So I asked the developer to ask about the detailed process of http and https. The developer said that in http, the design route is as follows:

Http (80)-> Development Module (9001)

In https, the design route is as follows:

Https (443)-> nginx (8000)-> Development Module (9001)

At this time, a problem was found. Originally, Jinshan Cloud did not configure the https certificate at the earliest time, so the developers used port 8000 of nginx to monitor ssl to achieve the effect of https certificate. But later, when the https certificate was added to the Jinshan Cloud console, it was no longer necessary for nginx to configure the ssl certificate, and it would be wrong to go to https to listen for 8000, so it was changed to:

Https-> Development Module (9001)

At the same time, close the nginx, at this time to test the https request, it will be successful!

In fact, if you have to use nginx's ssl certificate, the trick is to enable nginx, but use tcp protocol to listen on port 8000 of nginx in the load balancer.

Finally, if you think this article is helpful for your promotion and salary, please do not hesitate to sponsor, swipe the QR code below and sponsor me to continue to write more blog posts!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.