请教服务器迁移到国内后 twitter oauth 的 proxy 问题 ? Ruby China
如题,过去网站在linode上,现准备迁移到国内的UCloud,网站支持twitter oauth方式登录并且需要使用一些api,所以为了保证迁回国内后这部分功能可用,需要架设twitter api proxy
环境:debian 7 + ruby 1.9.3 + openssl 1.0.1e,已关闭防火墙
我尝试过了两个方案
1 利用GoAgent 3.0.1,然后设置omniauth的proxy到GoAgent端口,开发机osx 10.8正常,但是在ucloud上GoAgent日志
INFO - [Jun 28 02:48:04] 127.0.0.1:45539 "AGENT CONNECT :443 HTTP/1.1" - -
ERROR - [Jun 28 02:48:04] ssl.wrap_socket(self.connection=&socket at 0x1c90210 fileno=7 sock=127.0.0.1:8087&) failed: [Errno 1] _ssl.c:504: error::SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(twitter) Request phase initiated.
(twitter) Authentication failure! service_unavailable: OpenSSL::SSL::SSLError, SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
GoAgent开启关闭https mode结果均一样
使用curl测试curl
-x 127.0.0.1:8087测试,同样得到unknown ca的错误
-x 127.0.0.1:8087 --cacert /usr/local/goagent/local/CA.crt 则能获取到html
但是配置GoAgent的时候本身就会自动导入ca,经检查确实已经导入了***到/etc/ssl/certs,并且开发机不需要指定ca也能正常得到结果
测试数次,结果比较稳定
2 在linode的机器上用nginx来转发api实现proxy,nginx配置文件如下
access_log
/var/log/nginx/twitter.access_
location / {
proxy_pass
#proxy_set_header
#proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_
#proxy_set_header
proxy_pass_header
proxy_pass_header
proxy_pass_header
proxy_pass_header
proxy_pass_header
可以确定的是,请求内容完整的发送到proxy上了,但返回401 unauthorized
Started GET "/users/auth/twitter" for 127.0.0.1 at
03:17:32 +0800
OAuth::Unauthorized (401 Unauthorized):
oauth (0.4.7) lib/oauth/consumer.rb:216:in `token_request'
oauth (0.4.7) lib/oauth/consumer.rb:136:in `get_request_token'
omniauth-oauth (1.0.1) lib/omniauth/strategies/oauth.rb:29:in `request_phase'
omniauth-twitter (1.0.0) lib/omniauth/strategies/twitter.rb:63:in `request_phase'
omniauth (1.1.4) lib/omniauth/strategy.rb:214:in `request_call'
omniauth (1.1.4) lib/omniauth/strategy.rb:181:in `call!'
omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.1.4) lib/omniauth/strategy.rb:184:in `call!'
omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/error_collector.rb:12:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/agent_hooks.rb:22:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/browser_monitoring.rb:16:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/developer_mode.rb:28:in `call'
mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `block in call'
mongoid (3.1.4) lib/mongoid/unit_of_work.rb:39:in `unit_of_work'
mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `call'
warden (1.2.1) lib/warden/manager.rb:35:in `block in call'
warden (1.2.1) lib/warden/manager.rb:34:in `catch'
warden (1.2.1) lib/warden/manager.rb:34:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
rack (1.4.5) lib/rack/etag.rb:23:in `call'
rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/head.rb:14:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/flash.rb:242:in `call'
rack (1.4.5) lib/rack/session/abstract/id.rb:210:in `context'
rack (1.4.5) lib/rack/session/abstract/id.rb:205:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/cookies.rb:341:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `_run__06208__call__7542957__callbacks'
activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.13) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
activesupport (3.2.13) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/reloader.rb:65:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
airbrake (3.1.12) lib/airbrake/rails/middleware.rb:13:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
railties (3.2.13) lib/rails/rack/logger.rb:32:in `call_app'
railties (3.2.13) lib/rails/rack/logger.rb:16:in `block in call'
activesupport (3.2.13) lib/active_support/tagged_logging.rb:22:in `tagged'
railties (3.2.13) lib/rails/rack/logger.rb:16:in `call'
quiet_assets (1.0.2) lib/quiet_assets.rb:18:in `call_with_quiet_assets'
actionpack (3.2.13) lib/action_dispatch/middleware/request_id.rb:22:in `call'
rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
rack (1.4.5) lib/rack/runtime.rb:17:in `call'
activesupport (3.2.13) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.4.5) lib/rack/lock.rb:15:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/static.rb:63:in `call'
airbrake (3.1.12) lib/airbrake/user_informer.rb:16:in `_call'
airbrake (3.1.12) lib/airbrake/user_informer.rb:12:in `call'
railties (3.2.13) lib/rails/engine.rb:479:in `call'
railties (3.2.13) lib/rails/application.rb:223:in `call'
railties (3.2.13) lib/rails/railtie/configurable.rb:30:in `method_missing'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:145:in `handle'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:99:in `rescue in block (2 levels) in start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:96:in `block (2 levels) in start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `each'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `block in start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `loop'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:13:in `run'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/bin/nack_worker:4:in `&main&'
里的提示尝试使用OAuth 2方式认证,nginx配置如下
access_log
/var/log/nginx/proxy.access_
# If your want to secure your proxy with SSL, replace with the appropriate SSL configuration.
listen 80;
# Replace this with the name of the domain you wish to run your proxy on.
# The Twitter proxy code!
location / {
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-C
# Hide Twitter's own caching headers - we're applying our own.
proxy_hide_header X-Accel-E
proxy_hide_header E
proxy_hide_header Cache-C
proxy_hide_
proxy_hide_header set-
proxy_pass_header Content-
proxy_pass_header WWW-A
# Set the correct host name to connect to the Twitter API.
proxy_set_header H
# Add authentication headers - edit and add in your own bearer token.
proxy_set_header Authorization "Bearer 哔~~~";
# Actually proxy the request to Twitter API!
返回403 Forbidden
Started GET "/users/auth/twitter" for 127.0.0.1 at
03:14:45 +0800
OAuth::Unauthorized (403 Forbidden):
oauth (0.4.7) lib/oauth/consumer.rb:216:in `token_request'
oauth (0.4.7) lib/oauth/consumer.rb:136:in `get_request_token'
omniauth-oauth (1.0.1) lib/omniauth/strategies/oauth.rb:29:in `request_phase'
omniauth-twitter (1.0.0) lib/omniauth/strategies/twitter.rb:63:in `request_phase'
omniauth (1.1.4) lib/omniauth/strategy.rb:214:in `request_call'
omniauth (1.1.4) lib/omniauth/strategy.rb:181:in `call!'
omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.1.4) lib/omniauth/strategy.rb:184:in `call!'
omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/error_collector.rb:12:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/agent_hooks.rb:22:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/browser_monitoring.rb:16:in `call'
newrelic_rpm (3.6.4.122) lib/new_relic/rack/developer_mode.rb:28:in `call'
mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `block in call'
mongoid (3.1.4) lib/mongoid/unit_of_work.rb:39:in `unit_of_work'
mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `call'
warden (1.2.1) lib/warden/manager.rb:35:in `block in call'
warden (1.2.1) lib/warden/manager.rb:34:in `catch'
warden (1.2.1) lib/warden/manager.rb:34:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
rack (1.4.5) lib/rack/etag.rb:23:in `call'
rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/head.rb:14:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/flash.rb:242:in `call'
rack (1.4.5) lib/rack/session/abstract/id.rb:210:in `context'
rack (1.4.5) lib/rack/session/abstract/id.rb:205:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/cookies.rb:341:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `_run__06208__call__7542957__callbacks'
activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.13) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
activesupport (3.2.13) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/reloader.rb:65:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
airbrake (3.1.12) lib/airbrake/rails/middleware.rb:13:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
railties (3.2.13) lib/rails/rack/logger.rb:32:in `call_app'
railties (3.2.13) lib/rails/rack/logger.rb:16:in `block in call'
activesupport (3.2.13) lib/active_support/tagged_logging.rb:22:in `tagged'
railties (3.2.13) lib/rails/rack/logger.rb:16:in `call'
quiet_assets (1.0.2) lib/quiet_assets.rb:18:in `call_with_quiet_assets'
actionpack (3.2.13) lib/action_dispatch/middleware/request_id.rb:22:in `call'
rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
rack (1.4.5) lib/rack/runtime.rb:17:in `call'
activesupport (3.2.13) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.4.5) lib/rack/lock.rb:15:in `call'
actionpack (3.2.13) lib/action_dispatch/middleware/static.rb:63:in `call'
airbrake (3.1.12) lib/airbrake/user_informer.rb:16:in `_call'
airbrake (3.1.12) lib/airbrake/user_informer.rb:12:in `call'
railties (3.2.13) lib/rails/engine.rb:479:in `call'
railties (3.2.13) lib/rails/application.rb:223:in `call'
railties (3.2.13) lib/rails/railtie/configurable.rb:30:in `method_missing'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:145:in `handle'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:99:in `rescue in block (2 levels) in start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:96:in `block (2 levels) in start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `each'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `block in start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `loop'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `start'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:13:in `run'
/Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/bin/nack_worker:4:in `&main&'
另外,我大概看过一些twiiter api proxy工具,都比较老,还在使用即将作废的1.0版api,所以就不考虑了
有什么好的国内主机使用twitter oauth api的方案?
我感觉我想到的两个方案理论上都是可行的,但哪里出问题或者我没考虑到导致失败呢?
有什么办法截取代理服务器出去的包?tcpdump nc都是针对socket的,对于只想观察request来说 非常重,而且难用。。。
http proxy 是明文的, 和直接访问没区别, 必墙...
goagent 原理应该和 gapproxy 差不多, 就算加了***, 由于服务器是知道连接内容的, 改不了中间人角色, 必然 ssl 验证不通过.
socks 隧道型的就没这个问题. 本地开个 shadowsocks / stochastic-socks 客户端, 然后用本地的 socks5 代理就可以了. 防火墙不用关.
如果不需要跑国内请求, 可以用 socksify-ruby 猴子补丁掉 Net::HTTP, 就不用改任何代码了.
如果熟悉 oauth 原理, 用 curl 跑 oauth 也很简单... curl --socks5-hostname localhost:6789 ...
还有一个办法是配置 ***
忘记了...没用socks主要是担心长期保持连接会封掉linode的ip,坛子里貌似有一些先例吧?我也说不好...现在有点迷糊
ssh 隧道是有这个问题, 只有一个连接 hang 住, 而且并发时很卡, 不开混淆的话特征很容易学习, 但 s*socks 是每请求一个连接非阻塞的, 特征和 ssh 不同, 暂时好像还没出问题 (将来咋样我也说不好...)
唔 那我就尝试一下
吕哥一席话,胜读十年书啊!
对于这种情况,我是死活都不会让老板把服务器移到国内的,太折腾了
方法1, 是因为中间人***警告?设置忽略试试看:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
睡醒之后 表示。。。没理解 - - 你能详细的讲讲么,如果是这样的话,goagent这类工具是怎么达到翻墙目的的?
cool...简单粗暴。。
昨天没仔细看贴,嫌太粗暴的话,你试试看设置ca file应该也可以。
config.omniauth :twitter, "xxx", "xxx", {:scope =& 'xxx,xxx', :client_options =& {:ssl =& {:ca_file =& '/usr/local/goagent/local/CA.crt'}}}
因为 goagent 部署在 appengine 的限制, 远端是只能用 http client 连接而不能直接开 TCP socket, 而 http client 必须知道连接的内容 (header, path 之类的), 所以不算加密传输层... 隧道是服务器不知道连接的内容, 收到什么就发什么
不忽略***的话, 可能要自己生成域名为
goagent似乎包含twitter假***的,我好像翻过***文件
有些东西必须国内才能做的,我也不喜欢国内的主机
解决ssl***之后还有一个坑,有时候Ruby 2.0 的net库在做inflate的时候会触发Zlib::DataError: incorrect header check,omniauth走proxy进行oauth的时候刚好会触发,不太懂原理,能讲讲么?
这是两篇讨论
查了些资料, 做过处理,免疫这个问题。
于是效法他,我写了个很脏的猴子补丁
omniauth 走的什么类型的 proxy? http?
如果是 goagent, 可能是它没处理好 header 的原因
如果原本的响应是 transfer-encoding: chunked, 然后 goagent 把 body decode 出来, 加上 content-length 返回给你, 但没有删除 chunked 项, 客户端就按照 chunked 去 decode 已经 decode 过的内容...
响应 header 中包含 transfer-encoding: chunked 的时候, 客户端就不去读 content-length, 而是一段一段的读内容, 往往适用于发 header 的时候还不知道 body 有多长的情况. chunked encoding 的 body 里, 每段内容以 16 进制数字标识这段内容的长度, 接着是对应长度的数据, 后面再接上 "\r\n" 做分隔符. 当碰到
"\0\r\n\r\n" 的时候, body 就结束了.
content-encoding: gzip 是在处理完 transfer-encoding 后处理的, 就是把内容扔给 gzip 去解压.
Net::HTTP 对两种 header 都做了考虑. 除非 header 被 http 代理搞乱掉 (解压了却没删掉 content-encoding, 或者解码了 chunked 缺忘记改 transfer-encoding), 是不会出问题的.
隧道代理就完全不会出 http 代理的这种问题.
后方可回复, 如果你还没有账号请点击这里 。
共收到 17 条回复当前位置: >>
谷歌chrome浏览器goagent经常出现403. That’s an error.的解决方法
网页显示403. That’s an error 的解决方法。转载自百度经验/article/aad228.html使用 Goagent 打开网页,经常出现403. That’s an error.下面是解 决的方法。
方法/步骤 1、找到打开 Go*gent 的文件目录。 可以在桌面上右键--&Go*gent 的图标--&属性--&查找目标。�2、在文件目录中的“proxy.ini”配置文件中,用记事本打开。3 、 在 打 开 的 文 件 中 , 找 到 &profile = google_CN& , 将 &google_cn& 改 成 &google_hk&。然后保存关闭文件。关闭浏览器和 Go*gent,重新打开上网,问 题解决。注意事项以上图片文字为原著作者原创,如需转载,请注明出处!
