Nginx の背後にある Minio サーバーがエラー 104 をスローし、ピアによって接続がリセットされました

tag-icon tag-icon nginx minio
Nginx の背後にある Minio サーバーがエラー 104 をスローし、ピアによって接続がリセットされました

私は Nginx の背後に Minio インスタンスを設定しています。rclone を使用して大きなフォルダーを同期するたびに、何らかの理由でエラー 104 connection reset by peer error が発生します。Nginx のせいではないことを確認するために tcpdump を追跡しましたが、そうではないようです。Minio が接続リセットを送信しています。

私の PC から nginx への tcpdump 出力:

12:45:56.037558 IP mypc.lan.50299 > myserver.lan.https: Flags [P.], seq 210758:211258, ack 271369, win 513, length 500
12:45:56.037567 IP myserver.lan.https > mypc.lan.50299: Flags [.], ack 211258, win 4014, length 0
12:45:56.041378 IP myserver.lan.https > mypc.lan.50294: Flags [P.], seq 304261:304440, ack 231696, win 6722, length 179
12:45:56.073311 IP myserver.lan.https > mypc.lan.50297: Flags [P.], seq 315796:315975, ack 250662, win 4042, length 179
12:45:56.092129 IP mypc.lan.50297 > myserver.lan.https: Flags [P.], seq 250662:251204, ack 315975, win 513, length 542
12:45:56.092148 IP myserver.lan.https > mypc.lan.50297: Flags [.], ack 251204, win 4052, length 0
12:45:56.097786 IP mypc.lan.50294 > myserver.lan.https: Flags [.], ack 304440, win 511, length 0
12:45:56.113142 IP mypc.lan.50294 > myserver.lan.https: Flags [P.], seq 231696:232196, ack 304440, win 511, length 500
12:45:56.113152 IP myserver.lan.https > mypc.lan.50294: Flags [.], ack 232196, win 6742, length 0
12:45:56.121592 IP myserver.lan.https > mypc.lan.50293: Flags [P.], seq 354178:354357, ack 282451, win 4629, length 179
12:45:56.174268 IP mypc.lan.50293 > myserver.lan.https: Flags [.], ack 354357, win 513, length 0
12:45:56.179362 IP myserver.lan.https > mypc.lan.50296: Flags [P.], seq 269665:270001, ack 211252, win 3463, length 336

nginx と minio 間のループバックにおける対応する tcpdump 出力:

12:45:56.092237 IP localhost.40782 > localhost.cslistener: Flags [.], ack 1, win 512, options [nop,nop,TS val 4256686849 ecr 4256686849], length 0
12:45:56.092256 IP localhost.40782 > localhost.cslistener: Flags [P.], seq 1:599, ack 1, win 512, options [nop,nop,TS val 4256686849 ecr 4256686849], length 598
12:45:56.092264 IP localhost.cslistener > localhost.40782: Flags [.], ack 599, win 507, options [nop,nop,TS val 4256686849 ecr 4256686849], length 0
12:45:56.113223 IP localhost.40786 > localhost.cslistener: Flags [S], seq 1989401545, win 65495, options [mss 65495,sackOK,TS val 4256686870 ecr 0,nop,wscale 7], length 0
12:45:56.113231 IP localhost.cslistener > localhost.40786: Flags [S.], seq 2441514866, ack 1989401546, win 65483, options [mss 65495,sackOK,TS val 4256686870 ecr 4256686870,nop,wscale 7], length 0
12:45:56.113237 IP localhost.40786 > localhost.cslistener: Flags [.], ack 1, win 512, options [nop,nop,TS val 4256686870 ecr 4256686870], length 0
12:45:56.113253 IP localhost.40786 > localhost.cslistener: Flags [P.], seq 1:557, ack 1, win 512, options [nop,nop,TS val 4256686870 ecr 4256686870], length 556
12:45:56.113256 IP localhost.cslistener > localhost.40786: Flags [.], ack 557, win 508, options [nop,nop,TS val 4256686870 ecr 4256686870], length 0
12:45:56.121528 IP localhost.cslistener > localhost.40026: Flags [R.], seq 1, ack 557, win 512, options [nop,nop,TS val 4256686878 ecr 4256686639], length 0
12:45:56.179288 IP localhost.cslistener > localhost.40766: Flags [R.], seq 1, ack 653, win 512, options [nop,nop,TS val 4256686936 ecr 4256686696], length 0

ただし、ポート 9000 を開いて、rclone を使用して同じ大きなフォルダーを直接同期すると、そのエラーはまったく発生しません。エラーが発生していない tcpdump 出力は次のとおりです。

12:44:00.253537 IP myserver.lan.cslistenedomacica.r > mypc.lan.49493: Flags [P.], seq 993647:994206, ack 681899, win 9686, length 559
12:44:00.253622 IP mypc.lan.49496 > myserver.lan.cslistener: Flags [P.], seq 530108:530599, ack 991128, win 513, length 491
12:44:00.254002 IP myserver.lan.cslistener > mypc.lan.49488: Flags [P.], seq 1007299:1007860, ack 690855, win 9674, length 561
12:44:00.254018 IP myserver.lan.cslistener > mypc.lan.49496: Flags [P.], seq 991128:991690, ack 530599, win 9662, length 562
12:44:00.254031 IP myserver.lan.cslistener > mypc.lan.49487: Flags [P.], seq 1039391:1039932, ack 653371, win 9709, length 541

2つのプロセスの違いがわかりません。

誰かがここで何か問題に気付いた場合に備えて、nginx サイト設定も追加します。

server {
  server_name something;

  set $test 0;
  if ( $host != "something" ) {
    set $test 1;
  }
  if ( $host != "something" ) {
    set $test 1$test;
  }
  if ( $test = 11 ) {
    return 444;
  }

  # Allow special characters in headers
  ignore_invalid_headers off;
  # Allow any size file to be uploaded.
  # Set to a value such as 1000m; to restrict file size to a specific value
  client_max_body_size 0;
  # Disable buffering
  proxy_buffering off;
  proxy_request_buffering off;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_connect_timeout 300;
    # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    chunked_transfer_encoding off;

    proxy_pass http://127.0.0.1:9000;
  }

  location /ui/ {
    rewrite ^/ui/(.*) /$1 break;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-NginX-Proxy true;

    # This is necessary to pass the correct IP to be hashed
    real_ip_header X-Real-IP;

    proxy_connect_timeout 300;

    # To support websockets in MinIO versions released after January 2023
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    chunked_transfer_encoding off;

    proxy_pass http://127.0.0.1:9091;

  }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/something/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/something/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_verify_depth 2;
    ssl_verify_client on;
    ssl_client_certificate /etc/ssl/certs/ca.crt;

}

server {
    if ($host =something) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = something) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



  listen 80;
  listen [::]:80;
  server_name something;
    return 404; # managed by Certbot

}

関連情報