nginx p2p流量转发,节点未发送SNI(Server Name Indication)
【问题分类】
- bug
- P2P网络相关(包含libp2p,liquid)
- 链账户身份与权限相关(证书问题、public、多签投票问题)
- 核心交易引擎相关(交易池、DAG)
- 共识相关
- 智能合约相关
- 存储相关
- SDK相关
- 长安链CMC工具
- 长安链管理台
- 长安链浏览器
- 长安链合约IDE
- 长安链web签名插件
- 跨链相关
- 轻节点相关
- 隐私计算相关
- 密码学相关
- 环境依赖
- 其他补充:
【问题描述】(请对问题进行描述,方便定位问题)
【具体现象】
长安链节点配置nginx进行p2p流量转发,区块链节点建立SSL 连接时没有发送SNI(Server Name Indication),导致nginx map匹配servername为空。
【操作步骤】
-
nginx配置
user root root; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } error_log /var/log/nginx/error.log debug; stream { upstream org1_node1 { server 10.0.2.15:12005; } upstream org2_node2 { server 10.0.2.15:12006; } map $ssl_preread_server_name $targetBackend { node1.tls.org1 org1_node1; node2.tls.org2 org2_node2; } server { listen 3004; ssl_preread on; proxy_pass $targetBackend; } } -
证书解析
Certificate: Data: Version: 3 (0x2) Serial Number: 586131 (0x8f193) Signature Algorithm: ecdsa-with-SHA256 Issuer: C = cn, ST = beijing, L = beijing, O = org1, OU = root-cert, CN = ca.org1 Validity Not Before: Dec 23 06:58:48 2024 GMT Not After : Dec 21 06:58:48 2033 GMT Subject: C = cn, ST = beijing, L = beijing, O = org1, OU = consensus, CN = node1.tls.org1 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:bd:64:10:57:97:30:f7:b2:8e:73:08:54:d7:93: 69:4a:6f:7b:35:d0:d3:43:01:02:cc:aa:40:b2:73: 1b:07:28:9c:46:2e:4f:01:4b:b5:23:f4:34:30:15: cf:9c:ef:86:4b:d7:a8:0d:86:0f:90:90:58:f3:b6: 6c:1c:72:9b:0b ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Subject Key Identifier: B9:8F:DF:21:89:33:A7:D3:84:61:6F:F1:98:72:EF:26:A9:BE:13:E0:D3:B1:BC:82:93:BC:47:7A:C7:EE:1B:A2 X509v3 Authority Key Identifier: keyid:E3:E3:99:83:BB:AD:28:64:4E:0F:09:72:97:61:29:C9:52:A7:78:FB:47:6B:5A:C1:9D:4F:9A:79:9F:C3:83:19 X509v3 Subject Alternative Name: DNS:localhost, DNS:chainmaker.org, IP Address:127.0.0.1 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:f8:55:24:cc:0f:63:b2:4c:fb:8f:d0:fc:c7: 4b:f8:ea:2b:66:a1:13:0f:58:2d:87:4b:c9:2b:61:10:cc:19: 17:02:20:26:fb:8e:8b:8f:58:04:75:03:d7:9d:d6:5c:ae:d8: c2:9e:57:d9:8e:e6:1c:ae:0c:f2:65:56:3a:a7:f7:c1:d1 -
chainmaker.yml seed配置
net: provider: LibP2P listen_addr: /ip4/0.0.0.0/tcp/12005 seeds: - /ip4/10.0.2.15/tcp/12006/p2p/QmXvyDDUy9adSoDc6rBMCMYnAKhwFVhqLZgj23ehaGgxGJ - /dns/node3.tls.org3/tcp/3004/p2p/QmRA3Ldjv5JTFS8UL1Da294HEsU4Z3ik54EkCmZbXtGwDD - /dns/node4.tls.org4/tcp/3004/p2p/QmUTisgDPd8W7WjeLfRXE1zyBbMPuWwJZa5bQhZJasifJ7 - /ip4/10.0.2.15/tcp/12005/p2p/QmU4c2dzhyH2KDDNek8S2rhudCSHHfYxgyaSU2LmFzZ39b tls: enabled: true priv_key_file: ../config/certs/node/node1.tls.key cert_file: ../config/certs/node/node1.tls.crt -
/ets/hosts配置
192.168.100.121 node1.tls.org1 192.168.100.121 node2.tls.org2 192.168.100.121 node3.tls.org3 192.168.100.121 node4.tls.org4
【相关日志文件】(如果有报错日志请贴图,或者上传附件)
-
nginx日志
2024/12/27 10:59:08 [debug] 1161#1161: *58 event timer del: 9: 4072705 2024/12/27 10:59:08 [debug] 1161#1161: *58 tcp_nodelay 2024/12/27 10:59:08 [debug] 1161#1161: *58 proxy connection handler 2024/12/27 10:59:08 [debug] 1161#1161: *58 malloc: 0000563E65C998B0:448 2024/12/27 10:59:08 [debug] 1161#1161: *58 malloc: 0000563E65D24CB0:16384 2024/12/27 10:59:08 [debug] 1161#1161: *58 stream map started 2024/12/27 10:59:08 [debug] 1161#1161: *58 stream map: "" "" 2024/12/27 10:59:08 [debug] 1161#1161: *58 stream script var: "" 2024/12/27 10:59:08 [error] 1161#1161: *58 no host in upstream "", client: 10.0.2.2, server: 0.0.0.0:3004, bytes from/to client:0/0, bytes from/to upstream:0/0 2024/12/27 10:59:08 [debug] 1161#1161: *58 finalize stream proxy: 500 2024/12/27 10:59:08 [debug] 1161#1161: *58 finalize stream session: 500 2024/12/27 10:59:08 [debug] 1161#1161: *58 stream log handler 2024/12/27 10:59:08 [debug] 1161#1161: *58 close stream connection: 9 2024/12/27 10:59:08 [debug] 1161#1161: *58 reusable connection: 0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65D24CB0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65C998B0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65D20CA0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65C99CA0, unused: 0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65C815F0, unused: 0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65C7CF30, unused: 0 2024/12/27 10:59:08 [debug] 1161#1161: *58 free: 0000563E65C9B1E0, unused: 104 2024/12/27 10:59:08 [debug] 1161#1161: timer delta: 0 2024/12/27 10:59:08 [debug] 1161#1161: worker cycle 2024/12/27 10:59:08 [debug] 1161#1161: epoll timer: -1 -
节点日志
2024-12-27 10:19:58.219 [WARN] [Net] libp2pnet/libp2p_net.go:412 [Net] send msg failed, node not connected, nodeId: [QmUTisgDPd8W7WjeLfRXE1zyBbMPuWwJZa5bQhZJasifJ7] 2024-12-27 10:19:58.275 [INFO] [Net] libp2pnet/libp2p_connection_supervisor.go:186 [ConnSupervisor] try to connect to peer failed(peer: {QmUTisgDPd8W7WjeLfRXE1zyBbMPuWwJZa5bQhZJasifJ7: [/dns/node4.tls.org4/tcp/5004]}, times: 11),failed to dial QmUTisgDPd8W7WjeLfRXE1zyBbMPuWwJZa5bQhZJasifJ7: all dials failed * [/ip4/172.16.81.7/tcp/5004] failed to negotiate security protocol: EOF 2024-12-27 10:19:58.275 [INFO] [Net] libp2pnet/libp2p_connection_supervisor.go:186 [ConnSupervisor] try to connect to peer failed(peer: {QmRA3Ldjv5JTFS8UL1Da294HEsU4Z3ik54EkCmZbXtGwDD: [/dns/node3.tls.org3/tcp/5004]}, times: 11),failed to dial QmRA3Ldjv5JTFS8UL1Da294HEsU4Z3ik54EkCmZbXtGwDD: all dials failed * [/ip4/172.16.81.7/tcp/5004] failed to negotiate security protocol: EOF
【系统信息】(请填写系统信息,方便定位问题)
-
chainmaker-go version * : [v2.3.0]
-
OS & version * : Ubuntu 20.04.6 LTS
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information