Ai摘要-仅供参考
反向代理:Traefik
飞牛版本: fnos 1.1.23
服务端飞牛: 0.19.0
客户端版本: V0.1.8
故障现象: 今天想试用下飞牛同步,在弹窗输入账号密码后提示无法连接nas,内网正常,抛出日志 reqwest error 异常
解决方法: 将 Traefik 的 TLS 最低版本降级为 1.2,故障解决
1. 飞牛同步日志:
[INFO][fnsync_rs::files::fnotify] open websocket: wss://fnos.example.com/sync/event/register with sessionid: [REDACTED-UUID]
[WARN][fnsync_rs::files::fnotify] ws connect failed: reqwest error, retry ...
Traefik日志: 常规的前端网页(如 .css, .js)均正常返回 status: 200,因为网页正常访问,但涉及长连接的 /websocket?type=main 后返回 DownstreamStatus: 0,部分 /sync/ 请求根本未进入 HTTP 访问日志(不一定准确,问题是解决了)
{"ClientAddr":"2.2.2.2:57349","ClientHost":"2.2.2.2","ClientPort":"57349","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":0,"Duration":5558143042,"RequestAddr":"fnos.example.com","RequestContentSize":0,"RequestCount":86,"RequestHost":"fnos.example.com","RequestMethod":"GET","RequestPath":"/websocket?type=main","RequestPort":"88","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RouterName":"fnos-router@file","ServiceAddr":"192.168.0.7:5667","ServiceName":"fnos-service@file","ServiceURL":"https://192.168.0.7:5667","SpanId":"a0baeea804f7243e","TraceId":"d3dbfa7c2eb1e38294b8f40ea9e60425","entryPointName":"websecure","level":"info","msg":"","request\_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0","time":"2026-03-01T22:39:19+08:00"}
2. 分析排障
失踪的同步请求: 日志报错的真正主角是 wss://fnos.../sync/event/register,但在Traefik 访问日志里,没有出现 说明这个连接可能在 HTTP 层之前(也就是 TCP 三次握手或 TLS 握手阶段)就挂了, 推断飞牛同步可能客户端的 reqwest 库在 TLS 1.3 握手时(例如 ALPN 扩展或密码套件协商)与 Traefik 存在兼容性障碍,导致 TCP RST 切断。怀疑TLS协议不兼容:因本人Traefik 强制要求 TLS 1.3,导致握手失败
4. 修复:降低全局 TLS 门槛
tls:
options:
default:
# 【修复点】将 VersionTLS13 降级为 VersionTLS12
minVersion: VersionTLS12
sniStrict: true
# 保留强加密套件,确保在 TLS 1.2 下依然具备高安全性
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
curvePreferences:
- X25519
- CurveP256
业务恢复
