nginx 使用“listen ssl”不行，反倒是使用过时的“ssl on”才行，太奇怪了

如题，新搭建的服务器，上面要用 NGINX 做反向代理，然后之前的配置不知道为什么不生效，提示 ERR_SSL_PROTOCOL_ERROR，看日志也是不走 SSL，折腾了一圈也不行，后来又新建了一台虚拟机，用 yum 安装 nginx 和 openssl，
信息如下：

nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

然后配置如下：

# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

# Settings for a TLS enabled server.
#
server {
listen 443 ssl http2 default_server;
listen 80;
listen [::]:443 ssl http2 default_server;
keepalive_timeout 70;
server_name www.xxx.com xxx.top;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/xxx.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/xxx.com/privkey.pem";
ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

client_max_body_size 100m;
# index index.php;

location / {
proxy_pass http://192.168.20.197;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
chunked_transfer_encoding off;
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}

怎么样都不行，然后不得已，加了个 ssl on，结果虽然检查说已经过时了，但是反而能用了。

这是什么鬼？昨天搞到今天实在是抓狂了，谷歌翻了个遍也没找到原因，哪位大哥来给指点下？

ssbg2

2020-10-15 09:09:37 +08:00

@jjeyz 看 access_log 是这样:
192.168.20.252 - - [14/Oct/2020:10:55:39 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x89%\x07\xE2\xA9\x05\x8B\xF5\x98\x1A\xBCz\xEDs\x13T\x07m\xF1\xF17\xA5\xBB\x1C\xECo0G\x05G\x94q h\xA8\xDF>U^\xD0\x86\xBA\xA8\xF6\x022\x84x\xCBc1\x19\x07\xCB\x9B\xA5\xC5\x22OE\xD0-.\xF9l\x00\x22" 400 157 "-" "-" "-"
192.168.20.252 - - [14/Oct/2020:10:55:39 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x8E\x04\x12\xD2\x9D\x5Cmjz\xF6u\x85\x03\xCD\xB1\xC6\xF8#\xA5\xE4d\xD24\x91\x05t\xC9\x03\xEE\xD9/\xE8 h\xA8\xDF>U^\xD0\x86\xBA\xA8\xF6\x022\x84x\xCBc1\x19\x07\xCB\x9B\xA5\xC5\x22OE\xD0-.\xF9l\x00\x22\x8A\x8A\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-" "-"
192.168.20.252 - - [14/Oct/2020:10:55:40 +0800] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x15jBHy{\x03" 400 157 "-" "-" "-"

看错误信息是这样：
2020/10/14 01:13:08 [debug] 28989#0: epoll: fd:14 ev:2001 d:00007F1D66D6F2E1
2020/10/14 01:13:08 [debug] 28989#0: *103 http check ssl handshake
2020/10/14 01:13:08 [debug] 28989#0: *103 http recv(): 0
2020/10/14 01:13:08 [info] 28989#0: *103 client closed connection while SSL handshaking, client: 192.168.20.252, server: 0.0.0.0:80
2020/10/14 01:13:08 [debug] 28989#0: *103 close http connection: 14
2020/10/14 01:13:08 [debug] 28989#0: *103 event timer del: 14: 28423684
2020/10/14 01:13:08 [debug] 28989#0: *103 reusable connection: 0
2020/10/14 01:13:08 [debug] 28989#0: *103 free: 000055CC9FDA3450, unused: 232
2020/10/14 01:13:08 [debug] 28989#0: timer delta: 0
2020/10/14 01:13:08 [debug] 28989#0: worker cycle
2020/10/14 01:13:08 [debug] 28989#0: epoll timer: -1
2020/10/14 01:14:01 [debug] 28987#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28988#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28991#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28990#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28984#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28985#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28987#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28988#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28983#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28991#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28990#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28992#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28984#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28985#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28983#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28992#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28986#0: epoll: fd:7 ev:0001 d:00007F1D66D6F100
2020/10/14 01:14:01 [debug] 28991#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28990#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28986#0: accept on 0.0.0.0:80, ready: 0
2020/10/14 01:14:01 [debug] 28984#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28983#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28987#0: posix_memalign: 000055CC9FDA3450:512 @16
2020/10/14 01:14:01 [debug] 28988#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28991#0: timer delta: 53074
2020/10/14 01:14:01 [debug] 28985#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28992#0: accept() not ready (11: Resource temporarily unavailable)
2020/10/14 01:14:01 [debug] 28990#0: timer delta: 53074
2020/10/14 01:14:01 [debug] 28984#0: timer delta: 53074
2020/10/14 01:14:01 [debug] 28983#0: timer delta: 53074
2020/10/14 01:14:01 [debug] 28987#0: *104 accept: 192.168.20.252:25694 fd:20
2020/10/14 01:14:01 [debug] 28986#0: accept() not ready (11: Resource temporarily unavailable)