我把我的域名转移到了Cloudflare,现在我正在尝试使用CloudFlare的SSL功能。
我已经拥有StartSSL的SSL证书,所以可以将设置更改为“Full(Strict)”,但我不想这样做,所以我把它改成了“Full”。
现在我遇到了525错误,在“重试获取实时版本”之后一切正常。但是我每次都会遇到这个错误。
有人有主意吗?
谢谢
我把我的域名转移到了Cloudflare,现在我正在尝试使用CloudFlare的SSL功能。
我已经拥有StartSSL的SSL证书,所以可以将设置更改为“Full(Strict)”,但我不想这样做,所以我把它改成了“Full”。
现在我遇到了525错误,在“重试获取实时版本”之后一切正常。但是我每次都会遇到这个错误。
有人有主意吗?
谢谢
将Cloudflare的SSL/TLS加密模式改为“灵活”即可。这对我有效。
525错误表示CloudFlare无法与您的源服务器联系并创建SSL连接。
这可能是由于以下原因:
请尝试联系您的托管提供商以获取帮助,确保您的SSL证书设置正确。如果您正在使用控制面板,则可以通过快速谷歌搜索找到该控制面板的安装指南。
我几天前遇到了同样的问题。我们的DevOps联系了支持团队,发现Cloudflare更改了证书类型或类似的东西。要求将一切恢复原状。这有所帮助。
export default {
async fetch(request, env, ctx) {
if (request.body) {
// This request has a body, i.e. it's submitting some information to
// the server, not just requesting a web page. If we wanted to be able
// to retry such requests, we'd have to buffer the body so that we
// can send it twice. That is expensive, so instead we'll just hope
// that these requests (which are relatively uncommon) don't fail.
// So we just pass the request to the server and return the response
// nomally.
return fetch(request);
}
// Try the request the first time.
let response = await fetch(request);
if (response.status == 520) {
// The server returned status 525. Let's retry the request. But
// we'll only retry once, since we don't want to get stuck in an
// infinite retry loop.
// Let's discard the previous response body. This is not strictly
// required but it helps let the Workers Runtime know that it doesn't
// need to hold open the HTTP connection for the failed request.
await response.arrayBuffer();
// OK, now we retry the request, and replace the response with the
// new version.
response = await fetch(request);
}
if (response.status == 525) {
// The server returned status 525. Let's retry the request. But
// we'll only retry once, since we don't want to get stuck in an
// infinite retry loop.
// Let's discard the previous response body. This is not strictly
// required but it helps let the Workers Runtime know that it doesn't
// need to hold open the HTTP connection for the failed request.
await response.arrayBuffer();
// OK, now we retry the request, and replace the response with the
// new version.
response = await fetch(request);
}
return response;
}
}
worker2.js
export default {
async fetch(request) {
const DEFAULT_SECURITY_HEADERS = {
/*
Secure your application with Content-Security-Policy headers.
Enabling these headers will permit content from a trusted domain and all its subdomains.
@see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
"Content-Security-Policy": "default-src 'self' example.com *.example.com",
*/
/*"Content-Security-Policy": "script-src 'unsafe-eval' 'unsafe-inline' https:",
/*
You can also set Strict-Transport-Security headers.
These are not automatically set because your website might get added to Chrome's HSTS preload list.
Here's the code if you want to apply it:
"Strict-Transport-Security" : "max-age=63072000; includeSubDomains; preload",
*/
/*"Strict-Transport-Security" : "max-age=63072000; includeSubDomains; preload",
/*
Permissions-Policy header provides the ability to allow or deny the use of browser features, such as opting out of FLoC - which you can use below:
"Permissions-Policy": "interest-cohort=()",
*/
/*"Permissions-Policy": "interest-cohort=()",
/*
X-XSS-Protection header prevents a page from loading if an XSS attack is detected.
@see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
*/
"X-XSS-Protection": "0",
/*
X-Frame-Options header prevents click-jacking attacks.
@see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*/
"X-Frame-Options": "SAMEORIGIN",
/*
X-Content-Type-Options header prevents MIME-sniffing.
@see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*/
"X-Content-Type-Options": "nosniff",
"Referrer-Policy": "strict-origin-when-cross-origin",
"Cross-Origin-Embedder-Policy": 'require-corp; report-to="default";',
"Cross-Origin-Opener-Policy": 'same-site; report-to="default";',
"Cross-Origin-Resource-Policy": "same-site",
};
const BLOCKED_HEADERS = [
"Public-Key-Pins",
"X-Powered-By",
"X-AspNet-Version",
];
let response = await fetch(request);
let newHeaders = new Headers(response.headers);
const tlsVersion = request.cf.tlsVersion;
console.log(tlsVersion);
// This sets the headers for HTML responses:
if (
newHeaders.has("Content-Type") &&
!newHeaders.get("Content-Type").includes("text/html")
) {
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders,
});
}
Object.keys(DEFAULT_SECURITY_HEADERS).map((name) => {
newHeaders.set(name, DEFAULT_SECURITY_HEADERS[name]);
});
BLOCKED_HEADERS.forEach((name) => {
newHeaders.delete(name);
});
if (tlsVersion !== "TLSv1.2" && tlsVersion !== "TLSv1.3") {
return new Response("You need to use TLS version 1.2 or higher.", {
status: 400,
});
} else {
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders,
});
}
},
};
/* css*/
async function handleRequest(request) {
let resp = await fetch(request.url, request);
let newResp = new Response(resp.body, {
headers: resp.headers,
status: resp.status
})
if (request.url.endsWith(".css")) {
newResp.headers.set("Content-Type", "text/css");
}
if (request.url.endsWith(".js")) {
newResp.headers.set("Content-Type", "text/javascript");
}
return newResp;
}
addEventListener("fetch", event => event.respondWith(handleRequest(event.request)))
今天我遇到了同样的问题,并发现(至少在我的情况下)缺少TLS v1.3是原因。
我刚刚使用nginx + php-fpm和自签名ssl创建了一个服务器,以在CloudFlare代理下使用。
当我从生产服务器切换到这个新服务器时,它出现了525错误。
我执行了命令:curl -I https://your_server_public_ip/
,它返回了错误:
error: 1408F10B: SSL routines: ssl3_get_record: wrong version number
这个错误在CloudFlare社区中有描述: https://community.cloudflare.com/t/community-tip-fixing-error-525-ssl-handshake-failed/44256
他们建议在CloudFlare面板上关闭TLS v1.3,但我决定尝试安装它。
使用nginx非常容易,我不知道为什么要将其关闭。
只需像这样添加TLSv1.3->ssl_protocols TLSv1.2 TLSv1.3;
在您的nginx/snippets/ssl-params.conf
文件(默认Ubuntu 20和18),这将起作用,并且您仍然可以使用最新和最安全的协议。