1

在过去的几周里,我一直在与一个让我发疯的虫子作斗争。请帮忙!

这是症状:

如果用户没有登录到 GMail,他可以毫无问题地登录到我的站点(使用 GMail openID)。这将明显提示用户首先在 GMail 中进行身份验证。

但是,如果用户已经在 GMail 中进行了身份验证,他会看到由 nginx 生成的 502 错误页面。

这只发生在少数用户身上(我不是其中之一),其中一位好心举报,甚至制作了一段视频来演示:

http://rvzt.net/Temp/google-freedomsponsors.webm

是不是很奇怪?

我在生产中向 django-social-auth 添加了一些调试行,以尝试了解发生了什么(在这里,只需执行 ctrl+f + 'logger' 即可找到我的更改)

使用此设置,健康登录尝试将用类似的东西淹没我的(django)日志文件

2013-09-06 11:19:26,659 [DEBUG] social_auth.backends: auth_complete ARGS=(), KWARGS={...} 2013-09-06 11:19:26,666 [DEBUG] social_auth.backends: response and status <openid.consumer.consumer.SuccessResponse id='https://id.mixi.jp/10452407' signed=[u'openid.mode', u'openid.claimed_id', u'openid.identity', u'openid.op_endpoint', u'openid.return_to', u'openid.response_nonce', u'openid.assoc_handle', u'openid.ax.type.nickname', u'openid.ns.ax', u'openid.ax.mode', u'openid.ax.value.nickname']> / success 2013-09-06 11:19:26,675 [DEBUG] social_auth.views: got user: 5ca95b48317944cd87b7d5af4b6e77 2013-09-06 11:19:26,683 [DEBUG] social_auth.views: return redirect to: /

但是,此特定用户失败的登录尝试不会在 django 的日志文件中产生任何输出。所以,它甚至没有触及视图方法。

不过 nginx 上有一些日志。

以下是错误登录尝试的样子(在 /var/log/nginx/access.log 中):

``` 130.225.243.86 - - [03/Sep/2013:13:23:39 +0000] “GET /complete/google/?janrain_nonce=2013-09-03T13%3A23%XXXXXXXXXXX&openid.ns=http%3A%2F %2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-09-03T13%3A23%3A38Zh5WrngwxTu2ByQ&openid.return_to =http%3A%2F%2Ffreedomsponsors.org%2Fcomplete%2Fgoogle%2F%3Fjanrain_nonce%3D2013-09-03T13%253A23%253XXXXXXXXXX&openid.assoc_handle=1.AMlYXXXXXXXXXXXXr5MKoxu- k-3cnkXXXXXXXXXXXXXXXXXXXXXXgdEpo3HOg&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.old_email%2Cext1.value.old_email%2Cext1.type.first_name%2Cext1.value.first_name%2 .type.last_name%2Cext1.value.last_name%2Cext1.type.email%2Cext1.value.email&openid.sig=3n46MUyn8wIIWpvYIJXj%2BeZqC7o%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid %3Fid%3DAItOawmGmlrjd-OuXXXXXXXXXXXXXXXtIXGpMJQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmGmlrjd-OuXXXXXXXXXXXXXXXXIXGpMJQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2F %2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.old_email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.old_email=xxxxxxxxx.junior%40gmail.com&openid.ext1.type.first_name=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.first_name=Bastian&openid.ext1.type.last_name=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid。 ext1.value.last_name=Hougaard&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.email=xxxxxxxxx.junior%40gmail.com HTTP/1.1" 502 575"http://freedomsponsors.org/login/google/ " "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36"

```

这总是伴随着 /var/log/nginx/errors.log 中的一个条目,例如:

2013/09/06 10:46:06 [error] 667#0: *116533 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 130.225.198.129, server: freedomsponsors.org, request: "GET //complete/google/?janrain_nonce=2013-09-03T13%3A23%XXXXXXXXXXX&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-09-03T13%3A23%3A38Zh5WrngwxTu2ByQ&openid.return_to=http%3A%2F%2Ffreedomsponsors.org%2Fcomplete%2Fgoogle%2F%3Fjanrain_nonce%3D2013-09-03T13%253A23%253XXXXXXXXXX&openid.assoc_handle=1.AMlYXXXXXXXXXXXr5MKoxu-_k_-3cnkXXXXXXXXXXXXXXXXXXXXXXgdEpo3HOg&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.old_email%2Cext1.value.old_email%2Cext1.type.first_name%2Cext1.value.first_name%2Cext1.type.last_name%2Cext1.value.last_name%2Cext1.type.email%2Cext1.value.email&openid.sig=3n46MUyn8wIIWpvYIJXj%2BeZqC7o%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmGmlrjd-OuXXXXXXXXXXXXXXXtIXGpMJQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmGmlrjd-OuXXXXXXXXXXXXXXXXIXGpMJQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.old_email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.old_email=xxxxxxxxx.junior%40gmail.com&openid.ext1.type.first_name=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.first_name=Bastian&openid.ext1.type.last_name=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.last_name=Hougaard&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.email=xxxxxxxxx.junior%40gmail.com HTTP/1.1", upstream: "uwsgi://unix:///tmp/frespo.sock:", host: "freedomsponsors.org", referrer: "http://freedomsponsors.org/login/google/"

一次好的登录尝试看起来是一样的(在 access.log 中),但不是以

502 575 "http://freedomsponsors.org/login/google/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36"

它以

302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36"

当然,它不会在 error.log 中生成任何条目。

我的生产环境是带有文件套接字的标准 nginx + uswgi,就像本教程所说的一样 --> https://uwsgi.readthedocs.org/en/latest/tutorials/Django_and_nginx.html

我感谢您提供的任何帮助!

4

1 回答 1

7

胜利!!!

经过一番研究,我发现 uwsgi 有一个 --daemonize 选项,可以将 uwsgi 日志定向到文件。

启用后,我开始看到类似`invalid request block size: 4167 (max 4096)...skip 之类的错误

所以我添加了另一个配置选项:buffer-size = 8192 问题就消失了。

非常感谢帮助我调试这个问题的巴斯蒂安!

于 2013-09-08T12:52:06.933 回答