Nginx HTTP/2 over TLS 访问报 400，有熟悉的同学吗？

最近在写一个 HTTP/2 的代理。如果是不带 TLS 的话，是可以正常工作的，

 server { listen 8443 http2; location / { error_log /Users/jiajun/nginx_error_log.log debug; grpc_pass grpc://127.0.0.1:2017; } } 

执行一下：

$ go run example/grpc_client/main.go calling to 127.0.0.1:2019 2019/01/28 11:50:46 gonna call c.SayHello... 2019/01/28 11:50:46 Greeting: Hello world 

Nginx 日志是:

127.0.0.1 - - [28/Jan/2019:11:50:46 +0800] "POST /helloworld.Greeter/SayHello HTTP/2.0" 200 18 "-" "grpc-go/1.16.0" "-" 

加证书之后:

 server { listen 8443 ssl http2; ssl_certificate /Users/jiajun/127.0.0.1.crt; ssl_certificate_key /Users/jiajun/127.0.0.1.key; location / { error_log /Users/jiajun/nginx_error_log.log debug; grpc_pass grpc://127.0.0.1:2017; } } 

执行一下:

$ go run example/grpc_client/main.go calling to 127.0.0.1:2019 2019/01/28 11:53:06 gonna call c.SayHello... 2019/01/28 11:53:06 could not greet: rpc error: code = Unavailable desc = transport is closing exit status 1 

Nginx 日志:

 127.0.0.1 - - [28/Jan/2019:11:53:06 +0800] "PRI * HTTP/2.0" 400 157 "-" "-" "-" 

有同学遇到同样的问题吗？

此外，可以写一个简单的 demo 复现问题：

package main import ( "crypto/tls" "log" ) func main() { backendConn, err := tls.Dial("tcp", "127.0.0.1:8443", &tls.Config{InsecureSkipVerify: true}) if err != nil { log.Printf("failed to dial: %s", err) } if _, err := backendConn.Write([]byte("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n")); err != nil { log.Printf("failed to write: %s", err) } b := make([]byte, 4096) if _, err := backendConn.Read(b); err != nil { log.Printf("failed to read: %s", err) } log.Printf("result: %s", b) } 

结果：

$ go run main.go 2019/01/28 14:59:50 result: HTTP/1.1 400 Bad Request Server: nginx/1.15.8 Date: Mon, 28 Jan 2019 06:59:50 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.15.8</center> </body> </html>