目录
Nginx反向代理GitLab资源的502问题修复记录
最近在使用Nginx反向代理GitLab上的静态资源时,遇到了间歇性的502错误。通过分析错误日志发现,这些错误主要表现为连接超时:
[error] connect() failed (110: Connection timed out) while connecting to upstream问题分析
经过研究发现,这个问题很可能与GitLab对请求来源的检查有关。当代理服务器转发请求时,携带了过多的原始客户端信息,可能触发了GitLab的安全限制。
解决方案
解决方案主要从两个方面入手:
1. 清理和标准化请求头
移除了可能触发限制的客户端信息,并统一了请求标识:
# 移除客户端信息
proxy_set_header X-Real-IP "";
proxy_set_header X-Forwarded-For "";
proxy_set_header REMOTE-HOST "";
# 统一浏览器标识
proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36";
# 标准化Accept头
proxy_set_header Accept "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8";
proxy_set_header Accept-Encoding "gzip, br";
proxy_set_header Accept-Language "en-US,en;q=0.9";
# 移除敏感信息
proxy_set_header Cookie "";
proxy_set_header Referer "";
proxy_set_header Origin "";2. 添加错误重试机制
为了处理可能的临时连接问题,添加了简单的重试配置:
proxy_next_upstream error timeout http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;修改效果
实施这些修改后,502错误显著减少,服务稳定性得到明显改善。这个解决方案的核心思路是"让代理请求更像普通浏览器访问",通过清理不必要的信息和添加重试机制来提高可靠性。
经验总结
- 在进行反向代理配置时,不是传递越多的客户端信息越好,有时候反而会引起问题
- 使用标准的浏览器请求头可以减少被识别为自动化工具的可能
- 简单的重试机制对于处理临时性连接问题很有效
最终效果
# 防盗链配置
valid_referers none blocked *.000714.xyz *.20000714.xyz *.baidu.com *.google.com *.githubusercontent.com *.github.com *.blueskyxn.com *.qq.com *.weixin.qq.com mp.weixin.qq.com 000714.xyz 20000714.xyz blueskyxn.xyz blueskyxn.com *.tencent.com;
if ($invalid_referer){
rewrite ^/ https://pic.rmb.bdstatic.com/bjh/9084d1b52d9225f9d3ee02bec47235cc.png redirect;
}
# SSL 配置
proxy_ssl_name gitlab.com;
proxy_ssl_server_name on;
proxy_pass https://gitlab.com;
proxy_ssl_protocols TLSv1.3 TLSv1.2;
proxy_ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
# 请求头控制
proxy_set_header Host gitlab.com;
proxy_set_header X-Real-IP "";
proxy_set_header X-Forwarded-For "";
proxy_set_header REMOTE-HOST "";
# 浏览器标识和内容协商头
proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36";
proxy_set_header Accept "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8";
proxy_set_header Accept-Language "en-US,en;q=0.9";
proxy_set_header Accept-Encoding "gzip, br";
# 移除敏感头信息
proxy_set_header Cookie "";
proxy_set_header Referer "";
proxy_set_header Origin "";
# 连接优化
proxy_http_version 1.1;
proxy_set_header Connection "keep-alive";
# 缓存配置
add_header X-Cache $upstream_cache_status;
proxy_ignore_headers Set-Cookie Cache-Control expires;
proxy_cache cache_one;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid 101 200 1440m;
proxy_cache_valid 304 301 302 1m;
proxy_cache_valid 404 10s;
expires 4h;
# 错误处理
proxy_next_upstream error timeout http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
Comments NOTHING