带有 Cloudflare 的 Nginx：错误 525 SSL 握手失败

Question

我正在尝试使用 Cloudflare 在 docker 容器上部署我的 nginx。

docker-compose.yml

version: "3.5"

services:
  nginx:
    image: xxx/panel-nginx:VERSION
    volumes:
      - type: volume
        source: panel_nginx_certs
        target: /etc/nginx/certs
    ports:
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      - panel_nginx
    stop_grace_period: 1m
    deploy:
      replicas: 1
      update_config:
        parallelism: 1
        delay: 180s
      restart_policy:
        condition: on-failure

networks:
  panel_nginx:
    external: true

volumes:
    panel_nginx_certs:
      external: true

nginx.conf

upstream panel-uwsgi {
    server                      panel_app:8000;
}
server {
    listen                      443 ssl http2;
    listen                      [::]:443 ssl http2;
    server_name                 panel.xxx.com;
    ssl_certificate             /etc/nginx/certs/panel.pem;
    ssl_certificate_key         /etc/nginx/certs/panel.key;

    location / {
        include                 uwsgi_params;
        uwsgi_pass              panel-uwsgi;
    }
    # location /media/ {
    #     root                    /usr/share/nginx/html;
    #     try_files               $uri $uri/;
    #     access_log              off;
    #     expires                 30d;
    # }
    location /static/ {
        access_log              off;
        expires                 30d;
    }
    location = /favicon.ico {
        return                  204;
        access_log              off;
        log_not_found           off;
    }

    # error_page  404              /404.html;

    # error_page   500 502 503 504  /50x.html;
    # location = /50x.html {
    #     root                    /usr/share/nginx/html;
    # }
    }


    gzip_vary                       on;
    gzip_proxied                    any;
    gzip_comp_level                 6;
    gzip_buffers                    16 8k;
    gzip_http_version               1.1;
    gzip_types                      text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ssl_protocols                   TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers       on;
    ssl_ciphers                     "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305";
    ssl_ecdh_curve                  secp384r1;
    ssl_dhparam                     /etc/nginx/certs/dhparam.pem;
    ssl_session_timeout             24h;
    ssl_session_cache               shared:SSL:12m;
    ssl_session_tickets             off;
    ssl_stapling                    on;
    ssl_trusted_certificate         /etc/nginx/certs/cloudflare_origin_ecc.pem;
    ssl_stapling_verify             on;
    resolver                        8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout                5s;


    server_names_hash_bucket_size   64;


    ssl_client_certificate          /etc/nginx/certs/cloudflare.crt;
    ssl_verify_client               on;


    server_tokens                   off;
    charset                         utf-8;
    add_header                      X-Robots-Tag none;
    add_header                      Warning 'This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded.';

使用此配置进行部署会导致 525 错误：SSL 握手失败。 我有专用的 IP 和 NSI。我正在使用 chacha-poly 密码。我正在发布 443 端口。

任何想法为什么我会收到此错误？

谢谢

免责声明：Stackoverflow，请删除有关代码过多​​和文本不足的警告。谢谢

Answer 1

在我的例子中，用 LibreSSL 替换 OpenSSL 解决了这个问题。

Answer 2

如果记录是灰色的（未通过 Cloudflare 代理），您能否使用 SSL 连接到服务器？这可能是他配置中的源服务器上的一个问题，但至少暂时消除 Cloudflare 会使故障排除更加容易。

您也可以尝试 curl -Ikv --resolve panel.backupner.com:443:your.ip.address https:://panel.backupner.com 了解更多可能有助于故障排除的详细信息。

实际上刚刚检查...看起来您的网站现在正在运行，如果您找出根本原因，发布问题所在会很有帮助。 :)