[BUG] Nginx HTTPS 链路无法串联 #11517
Description
Search before asking
- I had searched in the issues and found no similar feature requirement.
DeepFlow Component
Agent
What you expected to happen
Deepflow vesion:V6.6
Deepflow Agent部署方式:宿主机(非K8S)
Linux version:
############## Kylin Linux Version #################
Release:
Kylin Linux Advanced Server release V10 (Tercel)
Kernel:
4.19.90-25.35.v2101.ky10.aarch64
Build:
Kylin Linux Advanced Server
release V10 (SP1) /(Tercel)-aarch64-Build20/20210518
#################################################
OpenSSL version:1.1.1f
SSL本地证书生成命令:openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/OU=IT/CN=localhost"
Nginx version:1.21.5
Nginx HTTP配置:
server {
listen 80;
listen [::]:80;
server_name _;
# 访问日志
access_log /var/log/nginx/proxy-http-access.log;
error_log /var/log/nginx/proxy-http-error.log;
# 根目录(可选,用于静态文件)
root /usr/share/nginx/html;
index index.html index.htm;
# 代理第一个服务 (端口 2000)
location /obs/api/first/ {
proxy_pass http://10.1.11.122:2000/obs/api/first/;
# 传递真实客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering off;
# 支持 WebSocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 代理第二个服务 (端口 2001)
location /obs/api/second/ {
proxy_pass http://10.1.11.122:2001/obs/api/second/;
# 传递真实客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering off;
# 支持 WebSocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 错误页面
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Nginx HTTPS 配置:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
# SSL 证书配置
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# SSL 协议和安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 访问日志
access_log /var/log/nginx/proxy-https-access.log;
error_log /var/log/nginx/proxy-https-error.log;
# 根目录(可选,用于静态文件)
root /usr/share/nginx/html;
index index.html index.htm;
# 代理第一个服务 (端口 2000)
location /obs/api/first/ {
proxy_pass http://10.1.11.122:2000/obs/api/first/;
# 传递真实客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering off;
# 支持 WebSocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 代理第二个服务 (端口 2001)
location /obs/api/second/ {
proxy_pass http://10.1.11.122:2001/obs/api/second/;
# 传递真实客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering off;
# 支持 WebSocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 错误页面
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
场景如下:
1、如上所述,我有两份Nginx配置,分别对应HTTP和HTTPS,每份配置都反向代理了两个Java微服务
2、使用Nginx HTTP配置,调用链是通的,但使用Nginx HTTPS配置,两个微服务之间的调用链是断开的,请问如何让链路不断开,调用链如下:
- 通过CURL调用Nginx反向代理的第一个微服务接口
- 第一个微服务通过HTTP Client调用Nginx反向代理的第二个微服务接口
HTTP调用链图(通的)
HTTPS调用链图(断开)
我尝试过修改Agent配置,但链路任然是断开的
1、inputs.ebpf.socket.uprobe.tls.enabled: true
2、 - match_regex: ^nginx
only_in_container: false
enabled_features: [ebpf.socket.uprobe.tls, proc.gprocess_info]
Agent日志
How to reproduce
No response
DeepFlow version
No response
DeepFlow agent list
No response
Kubernetes CNI
No response
Operation-System/Kernel version
No response
Anything else
No response
Are you willing to submit a PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct