curl請求https資源的時候出現400

在nginx上配置了一個新的域名, 習慣性地用curl請求看看有沒有配置錯誤

因為是https的, 所以

$curl 'https://test.test.com/' -x 127.0.0.1:443 -i -L  
HTTP/1.1 400 Bad Request  
Server: nginx/1.9.12  
Date: Mon, 08 Aug 2016 07:56:21 GMT  
Content-Type: text/html  
Content-Length: 173  
Connection: close  
  
curl: (56) Received HTTP code 400 from proxy after CONNECT  

400了..ToT

拿瀏覽器綁個hosts, 正常返回了... @.@

一定curl差了些什么參數了

看了下服務端上面的訪問日志, 看到了形如以下的訪問日志

[08/Aug/2016:16:07:27 +0800] "CONNECT test.test.com:443 HTTP/1.1" 400 173 "-" "-" "-"  

果斷先拿百度開刷

# curl 'https://www.baidu.com/' -i -L -v  
* About to connect() to www.baidu.com port 443 (#0)  
*   Trying 14.215.177.38... connected  
* Connected to www.baidu.com (14.215.177.38) port 443 (#0)  
* Initializing NSS with certpath: sql:/etc/pki/nssdb  
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt  
  CApath: none  
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA  
* Server certificate:  
* <span style="white-space:pre">  </span>subject: CN=baidu.com,OU=service operation department,O="Beijing Baidu Netcom Science Technology Co., Ltd.",L=Beijing,ST=Beijing,C=CN  
* <span style="white-space:pre">  </span>start date: Sep 17 00:00:00 2015 GMT  
* <span style="white-space:pre">  </span>expire date: Aug 31 23:59:59 2016 GMT  
* <span style="white-space:pre">  </span>common name: baidu.com  
* <span style="white-space:pre">  </span>issuer: CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US  
> GET / HTTP/1.1  
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2  
> Host: www.baidu.com  
> Accept: */*  
>  
< HTTP/1.1 200 OK  
HTTP/1.1 200 OK  
< Server: bfe/1.0.8.14  
Server: bfe/1.0.8.14  
< Date: Mon, 08 Aug 2016 08:11:00 GMT  
Date: Mon, 08 Aug 2016 08:11:00 GMT  
< Content-Type: text/html  
Content-Type: text/html  
< Content-Length: 227  
Content-Length: 227  
< Connection: keep-alive  
Connection: keep-alive  
< Last-Modified: Thu, 09 Oct 2014 10:47:57 GMT  
Last-Modified: Thu, 09 Oct 2014 10:47:57 GMT  
< Set-Cookie: BD_NOT_HTTPS=1; path=/; Max-Age=300  
Set-Cookie: BD_NOT_HTTPS=1; path=/; Max-Age=300  
< Set-Cookie: BIDUPSID=4264F64D03A9A0D1FE68735BBB55FF4E; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com  
Set-Cookie: BIDUPSID=4264F64D03A9A0D1FE68735BBB55FF4E; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com  
< Set-Cookie: PSTM=1470643860; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com  
Set-Cookie: PSTM=1470643860; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com  
< P3P: CP=" OTI DSP COR IVA OUR IND COM "  
P3P: CP=" OTI DSP COR IVA OUR IND COM "  
< X-UA-Compatible: IE=Edge,chrome=1  
X-UA-Compatible: IE=Edge,chrome=1  
< Pragma: no-cache  
Pragma: no-cache  
< Cache-control: no-cache  
Cache-control: no-cache  
< Strict-Transport-Security: max-age=0  
Strict-Transport-Security: max-age=0  
< Accept-Ranges: bytes  
Accept-Ranges: bytes  
< Set-Cookie: __bsi=13639875133713009970_00_301_N_N_1_0301_002F_N_N_N_0; expires=Mon, 08-Aug-16 08:11:05 GMT; domain=www.baidu.com; path=/  
Set-Cookie: __bsi=13639875133713009970_00_301_N_N_1_0301_002F_N_N_N_0; expires=Mon, 08-Aug-16 08:11:05 GMT; domain=www.baidu.com; path=/  
  
  
<  
<html>  
<head>  
<span style="white-space:pre">    </span><script>  
<span style="white-space:pre">        </span>location.replace(location.href.replace("https://","http://"));  
<span style="white-space:pre">    </span></script>  
</head>  
<body>  
<span style="white-space:pre">    </span><noscript><meta http-equiv="refresh" content="0;url=http://www.baidu.com/"></noscript>  
</body>  
* Connection #0 to host www.baidu.com left intact  
* Closing connection #0  
</html>

</pre><pre name="code" class="plain">  

# curl 'https://www.baidu.com/' -i -L -v  -x '103.235.46.39:443'    ###103.235.46.39是跑到 8.8.8.8 dns出來的ip  
* About to connect() to proxy 103.235.46.39 port 443 (#0)  
*   Trying 103.235.46.39... connected  
* Connected to 103.235.46.39 (103.235.46.39) port 443 (#0)  
<pre name="code" class="plain">* Establish HTTP proxy tunnel to www.baidu.com:443  
> CONNECT www.baidu.com:443 HTTP/1.1   

> Host: www.baidu.com:443> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2> Proxy-Connection: Keep-Alive>< HTTP/1.1 302 Moved TemporarilyHTTP/1.1 302 Moved Temporarily< Server: bfe/1.0.8.14Server: bfe/1.0.8.14< Date: Mon, 08 Aug 2016 07:49:07 GMTDate: Mon, 08 Aug 2016 07:49:07 GMT< Content-Type: text/htmlContent-Type: text/html< Content-Length: 161Content-Length: 161< Connection: closeConnection: close< Location: https://www.baidu.com/search/error.htmlLocation: https://www.baidu.com/search/error.html<* Received HTTP code 302 from proxy after CONNECT* Closing connection #0curl: (56) Received HTTP code 302 from proxy after CONNECT  

 

兩次請求百度首頁, 區別在於 -x 這個參數, 從而確定是這個參數惹的禍

其實會留意到有這么兩行

* Establish HTTP proxy tunnel to www.baidu.com:443  
> CONNECT www.baidu.com:443 HTTP/1.1  

 

curl -x參數, man文檔里面對這個參數的描述, 第一句就是 'Use the specified proxy'

大致原因是因為 -x 參數的原因, curl 把 127.0.0.1:443 當成 http proxy 來用

對於 https 的請求, curl 對proxy 先發起一個 connect 請求

但, nginx沒有實現 connect 方法

導致 客戶端直接報錯

 

解決方法, 目前只看到繞過過去的方法, 改下請求的方式咯

# 這個請求會報錯, 會報證書出錯  
curl 'https://127.0.0.1/' -H 'Host:test.test.com' -i -L -v  
# 加個 -k, 不驗證證書, 請求成功  
curl 'https://127.0.0.1/' -H 'Host:test.test.com' -i -L -v -k  

 

 

參考：http://blog.csdn.net/tacuhuh/article/details/52152695