Google Cloud의 SSL 연결 문제

Google Cloud의 SSL 연결 문제

참고: 그 이후 얻은 새로운 통찰력을 바탕으로 질문을 편집했습니다.

gcloud에 네트워크 rl을 만들었습니다. rl(rlprod, rldev 등) 아래에 여러 개의 다른 서브넷이 있습니다. 환경(prod, dev 등)에 속하는 각 머신 세트에 대해 하나의 서브넷이 있습니다. gcloud를 시작한 이후 약 1년 정도는 정상적으로 작동해 왔습니다. 네트워크를 확장하는 동안 이 지역에서 허용되는 CPU 수로 인해 gcloud 한도에 도달하여 CPU 한도 증가 요청을 제출했습니다. CPU, 인스턴스 및 사용 중인 주소에 대한 할당량을 늘렸습니다.

이것이 어떻게 연결되어 있는지는 잘 모르겠지만 이 변경 이후로 HTTPS를 통해 한 인스턴스에서 다른 인스턴스로 파일을 가져오는 동안 네트워크 시간 초과가 발생하기 시작했습니다. 이것은 여러 달 동안 잘 작동했으며 아무 것도 변경되지 않았습니다.

HTTPS를 통한 요청은 시간 초과되는 경우가 많습니다. HTTP를 통한 요청이라도 약간의 지연이 발생하지만 나중에는 괜찮습니다. 다음은 클라이언트의 컬 요청과 서버의 해당 tcpdump 출력입니다.

HTTP를 통한 요청

$ curl -v --trace-time http://devops.rightleads.io/index.html -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     008:08:13.543225 *   Trying 35.185.203.219...
08:08:13.543298 * TCP_NODELAY set
08:08:13.544776 * Connected to devops.rightleads.io (35.185.203.219) port 80 (#0)
08:08:13.544823 > GET /index.html HTTP/1.1
08:08:13.544823 > Host: devops.rightleads.io
08:08:13.544823 > User-Agent: curl/7.52.1
08:08:13.544823 > Accept: */*
08:08:13.544823 > 
  0     0    0     0    0     0      0      0 --:--:--  0:00:31 --:--:--     008:08:45.657191 < HTTP/1.1 200 OK
08:08:45.657240 < Date: Wed, 28 Feb 2018 08:08:13 GMT
08:08:45.657250 < Server: Apache/2.4.10 (Debian)
08:08:45.657259 < Last-Modified: Thu, 09 Feb 2017 09:03:51 GMT
08:08:45.657268 < ETag: "29cd-54815428d497e"
08:08:45.657276 < Accept-Ranges: bytes
08:08:45.657285 < Content-Length: 10701
08:08:45.657294 < Vary: Accept-Encoding
08:08:45.657302 < Content-Type: text/html
08:08:45.657311 < 
08:08:45.657319 { [1153 bytes data]
 10 10701   10  1153    0     0     35      0  0:05:05  0:00:32  0:04:33   23608:08:45.658408 * Curl_http_done: called premature == 0
100 10701  100 10701    0     0    333      0  0:00:32  0:00:32 --:--:--  2756
08:08:45.658454 * Connection #0 to host devops.rightleads.io left intact
$ sudo tcpdump -n "port 80 and src 35.230.104.58"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:08:13.546229 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [S], seq 172215436, win 28400, options [mss 1420,sackOK,TS val 21806385 ecr 0,nop,wscale 7], length 0
08:08:13.547155 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 801446930, win 222, options [nop,nop,TS val 21806386 ecr 3110841935], length 0
08:08:13.547162 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [P.], seq 0:94, ack 1, win 222, options [nop,nop,TS val 21806386 ecr 3110841935], length 94: HTTP: GET /index.html HTTP/1.1
08:08:13.548043 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 1, win 240, options [nop,nop,TS val 21806386 ecr 3110841936,nop,nop,sack 1 {9857:10957}], length 0
08:08:33.567182 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 1, win 240, options [nop,nop,TS val 21811391 ecr 3110841936,nop,nop,sack 1 {9857:10958}], length 0
08:08:45.659840 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 1409, win 262, options [nop,nop,TS val 21814414 ecr 3110849964,nop,nop,sack 1 {9857:10958}], length 0
08:08:45.660284 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 2817, win 284, options [nop,nop,TS val 21814414 ecr 3110849964,nop,nop,sack 1 {9857:10958}], length 0
08:08:45.660295 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 4225, win 306, options [nop,nop,TS val 21814414 ecr 3110849964,nop,nop,sack 1 {9857:10958}], length 0
08:08:45.660637 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 5633, win 328, options [nop,nop,TS val 21814414 ecr 3110849964,nop,nop,sack 1 {9857:10958}], length 0
08:08:45.660642 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 8449, win 372, options [nop,nop,TS val 21814414 ecr 3110849964,nop,nop,sack 1 {9857:10958}], length 0
08:08:45.660699 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [.], ack 10958, win 394, options [nop,nop,TS val 21814414 ecr 3110849964], length 0
08:08:45.660783 IP 35.230.104.58.42974 > 10.0.0.3.80: Flags [F.], seq 94, ack 10958, win 394, options [nop,nop,TS val 21814414 ecr 3110849964], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

HTTPS를 통한 요청

$ curl -v --trace-time https://devops.rightleads.io/index.html -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     008:13:05.388543 *   Trying 35.185.203.219...
08:13:05.388612 * TCP_NODELAY set
08:13:05.389866 * Connected to devops.rightleads.io (35.185.203.219) port 443 (#0)
08:13:05.390099 * ALPN, offering h2
08:13:05.390110 * ALPN, offering http/1.1
08:13:05.390157 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
08:13:05.397208 * successfully set certificate verify locations:
08:13:05.397517 *   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
08:13:05.397891 * TLSv1.2 (OUT), TLS header, Certificate Status (22):
08:13:05.398119 } [5 bytes data]
08:13:05.398525 * TLSv1.2 (OUT), TLS handshake, Client hello (1):
08:13:05.398755 } [512 bytes data]
  0     0    0     0    0     0      0      0 --:--:--  0:00:26 --:--:--     008:13:31.881118 * TLSv1.2 (IN), TLS handshake, Server hello (2):
08:13:31.881139 { [98 bytes data]
08:13:31.881572 * TLSv1.2 (IN), TLS handshake, Certificate (11):
08:13:31.881600 { [2482 bytes data]
08:13:31.882172 * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
08:13:31.882183 { [333 bytes data]
08:13:31.882355 * TLSv1.2 (IN), TLS handshake, Server finished (14):
08:13:31.882364 { [4 bytes data]
08:13:31.882628 * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
08:13:31.882639 } [70 bytes data]
08:13:31.882663 * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
08:13:31.882671 } [1 bytes data]
08:13:31.882744 * TLSv1.2 (OUT), TLS handshake, Finished (20):
08:13:31.882753 } [16 bytes data]
08:13:31.882796 * Unknown SSL protocol error in connection to devops.rightleads.io:443 
08:13:31.882811 * Curl_http_done: called premature == 1
08:13:31.882829 * stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:--  0:00:26 --:--:--     0
08:13:31.882875 * Closing connection 0
curl: (35) Unknown SSL protocol error in connection to devops.rightleads.io:443 

$ sudo tcpdump -n "port 443 and src 35.230.104.58"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:13:05.391343 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [S], seq 626835610, win 28400, options [mss 1420,sackOK,TS val 21879347 ecr 0,nop,wscale 7], length 0
08:13:05.392187 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [.], ack 444717515, win 222, options [nop,nop,TS val 21879347 ecr 3110914897], length 0
08:13:05.400179 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [P.], seq 0:517, ack 1, win 222, options [nop,nop,TS val 21879349 ecr 3110914897], length 517
08:13:05.402478 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [.], ack 1, win 231, options [nop,nop,TS val 21879350 ecr 3110914899,nop,nop,sack 1 {2817:2938}], length 0
08:13:26.456426 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [.], ack 1, win 231, options [nop,nop,TS val 21884613 ecr 3110914899,nop,nop,sack 1 {2817:2939}], length 0
08:13:31.883439 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [.], ack 1409, win 253, options [nop,nop,TS val 21885970 ecr 3110921520,nop,nop,sack 1 {2817:2939}], length 0
08:13:31.883808 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [.], ack 2939, win 275, options [nop,nop,TS val 21885970 ecr 3110921520], length 0
08:13:31.885078 IP 35.230.104.58.41360 > 10.0.0.3.443: Flags [P.], seq 517:643, ack 2939, win 275, options [nop,nop,TS val 21885970 ecr 3110921520], length 126
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

답변1

이건 좀 더 심층적인 조사가 필요한 것 같습니다. 키워보시길 추천드려요공개 이슈 추적기프로젝트 번호(숫자만)로 입력하세요. 대신 프로젝트 ID를 쓰지 마세요. 생성되면 문제에 대한 링크를 제공해 주세요.

관련 정보