请教服务器迁移到国内后 twitter oauth 的 proxy 问题

如题，过去网站在linode上，现准备迁移到国内的UCloud，网站支持twitter oauth方式登录并且需要使用一些api，所以为了保证迁回国内后这部分功能可用，需要架设twitter api proxy 环境：debian 7 + ruby 1.9.3 + openssl 1.0.1e，已关闭防火墙 我尝试过了两个

如题，过去网站在linode上，现准备迁移到国内的UCloud，网站支持twitter oauth方式登录并且需要使用一些api，所以为了保证迁回国内后这部分功能可用，需要架设twitter api proxy
环境：debian 7 + ruby 1.9.3 + openssl 1.0.1e，已关闭防火墙
我尝试过了两个方案
1 利用GoAgent 3.0.1，然后设置omniauth的proxy到GoAgent端口，开发机osx 10.8正常，但是在ucloud上GoAgent日志

INFO - [Jun 28 02:48:04] 127.0.0.1:45539 "AGENT CONNECT api.twitter.com:443 HTTP/1.1" - -
ERROR - [Jun 28 02:48:04] ssl.wrap_socket(self.connection=) failed: [Errno 1] _ssl.c:504: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

rails日志

(twitter) Request phase initiated.
(twitter) Authentication failure! service_unavailable: OpenSSL::SSL::SSLError, SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

GoAgent开启关闭https mode结果均一样
使用curl测试curl https://api.twitter.com -x 127.0.0.1:8087测试，同样得到unknown ca的错误
但是curl https://api.twitter.com -x 127.0.0.1:8087 --cacert /usr/local/goagent/local/CA.crt 则能获取到html
但是配置GoAgent的时候本身就会自动导入ca，经检查确实已经导入了证书到/etc/ssl/certs，并且开发机不需要指定ca也能正常得到结果
测试数次，结果比较稳定

2 在linode的机器上用nginx来转发api实现proxy，nginx配置文件如下

server {
    listen          80;
    server_name     kexue.knewone.com;
    access_log      /var/log/nginx/twitter.access_log;
    location / {
        proxy_pass              https://api.twitter.com/;
        proxy_redirect          off;
        proxy_buffering off;
        proxy_cache off;
        #proxy_set_header        X-Real-IP       $remote_addr;
        #proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header       cookie          $http_cookie;
        proxy_pass_header       User-Agent;
        proxy_pass_header       Authorization;
        proxy_pass_header       Content-Type;
        proxy_pass_header       WWW-Authenticate;
        proxy_pass_header       Host;
    }
}

可以确定的是，请求内容完整的发送到proxy上了，但返回401 unauthorized
rails日志

Started GET "/users/auth/twitter" for 127.0.0.1 at 2013-06-28 03:17:32 +0800
OAuth::Unauthorized (401 Unauthorized):
  oauth (0.4.7) lib/oauth/consumer.rb:216:in `token_request'
  oauth (0.4.7) lib/oauth/consumer.rb:136:in `get_request_token'
  omniauth-oauth (1.0.1) lib/omniauth/strategies/oauth.rb:29:in `request_phase'
  omniauth-twitter (1.0.0) lib/omniauth/strategies/twitter.rb:63:in `request_phase'
  omniauth (1.1.4) lib/omniauth/strategy.rb:214:in `request_call'
  omniauth (1.1.4) lib/omniauth/strategy.rb:181:in `call!'
  omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.1.4) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/error_collector.rb:12:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/agent_hooks.rb:22:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/browser_monitoring.rb:16:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/developer_mode.rb:28:in `call'
  mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `block in call'
  mongoid (3.1.4) lib/mongoid/unit_of_work.rb:39:in `unit_of_work'
  mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `call'
  warden (1.2.1) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.1) lib/warden/manager.rb:34:in `catch'
  warden (1.2.1) lib/warden/manager.rb:34:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
  rack (1.4.5) lib/rack/etag.rb:23:in `call'
  rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/head.rb:14:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/flash.rb:242:in `call'
  rack (1.4.5) lib/rack/session/abstract/id.rb:210:in `context'
  rack (1.4.5) lib/rack/session/abstract/id.rb:205:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/cookies.rb:341:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
  activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `_run__53745951561906208__call__2319728286447542957__callbacks'
  activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.13) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
  activesupport (3.2.13) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/reloader.rb:65:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
  airbrake (3.1.12) lib/airbrake/rails/middleware.rb:13:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.13) lib/rails/rack/logger.rb:32:in `call_app'
  railties (3.2.13) lib/rails/rack/logger.rb:16:in `block in call'
  activesupport (3.2.13) lib/active_support/tagged_logging.rb:22:in `tagged'
  railties (3.2.13) lib/rails/rack/logger.rb:16:in `call'
  quiet_assets (1.0.2) lib/quiet_assets.rb:18:in `call_with_quiet_assets'
  actionpack (3.2.13) lib/action_dispatch/middleware/request_id.rb:22:in `call'
  rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
  rack (1.4.5) lib/rack/runtime.rb:17:in `call'
  activesupport (3.2.13) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
  rack (1.4.5) lib/rack/lock.rb:15:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/static.rb:63:in `call'
  airbrake (3.1.12) lib/airbrake/user_informer.rb:16:in `_call'
  airbrake (3.1.12) lib/airbrake/user_informer.rb:12:in `call'
  railties (3.2.13) lib/rails/engine.rb:479:in `call'
  railties (3.2.13) lib/rails/application.rb:223:in `call'
  railties (3.2.13) lib/rails/railtie/configurable.rb:30:in `method_missing'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:145:in `handle'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:99:in `rescue in block (2 levels) in start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:96:in `block (2 levels) in start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `each'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `block in start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `loop'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:13:in `run'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/bin/nack_worker:4:in `'

另外有篇 文章 里的提示尝试使用OAuth 2方式认证，nginx配置如下

server {
  access_log      /var/log/nginx/proxy.access_log;
  # If your want to secure your proxy with SSL, replace with the appropriate SSL configuration.
  listen 80;
  # Replace this with the name of the domain you wish to run your proxy on.
  server_name kexue.knewone.com;
  # The Twitter proxy code!
  location / {
    proxy_buffering off;
    proxy_cache off;
    proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
    # Hide Twitter's own caching headers - we're applying our own.
    proxy_hide_header X-Accel-Expires;
    proxy_hide_header Expires;
    proxy_hide_header Cache-Control;
    proxy_hide_header pragma;
    proxy_hide_header set-cookie;
    proxy_pass_header Content-type;
    proxy_pass_header WWW-Authenticate;
    # Set the correct host name to connect to the Twitter API.
    proxy_set_header Host api.twitter.com;
    # Add authentication headers - edit and add in your own bearer token.
    proxy_set_header Authorization "Bearer 哔～～～";
    # Actually proxy the request to Twitter API!
    proxy_pass https://api.twitter.com;
  }

返回403 Forbidden
rails日志

Started GET "/users/auth/twitter" for 127.0.0.1 at 2013-06-28 03:14:45 +0800
OAuth::Unauthorized (403 Forbidden):
  oauth (0.4.7) lib/oauth/consumer.rb:216:in `token_request'
  oauth (0.4.7) lib/oauth/consumer.rb:136:in `get_request_token'
  omniauth-oauth (1.0.1) lib/omniauth/strategies/oauth.rb:29:in `request_phase'
  omniauth-twitter (1.0.0) lib/omniauth/strategies/twitter.rb:63:in `request_phase'
  omniauth (1.1.4) lib/omniauth/strategy.rb:214:in `request_call'
  omniauth (1.1.4) lib/omniauth/strategy.rb:181:in `call!'
  omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.1.4) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.1.4) lib/omniauth/strategy.rb:164:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/error_collector.rb:12:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/agent_hooks.rb:22:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/browser_monitoring.rb:16:in `call'
  newrelic_rpm (3.6.4.122) lib/new_relic/rack/developer_mode.rb:28:in `call'
  mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `block in call'
  mongoid (3.1.4) lib/mongoid/unit_of_work.rb:39:in `unit_of_work'
  mongoid (3.1.4) lib/rack/mongoid/middleware/identity_map.rb:34:in `call'
  warden (1.2.1) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.1) lib/warden/manager.rb:34:in `catch'
  warden (1.2.1) lib/warden/manager.rb:34:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
  rack (1.4.5) lib/rack/etag.rb:23:in `call'
  rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/head.rb:14:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/flash.rb:242:in `call'
  rack (1.4.5) lib/rack/session/abstract/id.rb:210:in `context'
  rack (1.4.5) lib/rack/session/abstract/id.rb:205:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/cookies.rb:341:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
  activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `_run__53745951561906208__call__2319728286447542957__callbacks'
  activesupport (3.2.13) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.13) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
  activesupport (3.2.13) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.13) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/reloader.rb:65:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
  airbrake (3.1.12) lib/airbrake/rails/middleware.rb:13:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.13) lib/rails/rack/logger.rb:32:in `call_app'
  railties (3.2.13) lib/rails/rack/logger.rb:16:in `block in call'
  activesupport (3.2.13) lib/active_support/tagged_logging.rb:22:in `tagged'
  railties (3.2.13) lib/rails/rack/logger.rb:16:in `call'
  quiet_assets (1.0.2) lib/quiet_assets.rb:18:in `call_with_quiet_assets'
  actionpack (3.2.13) lib/action_dispatch/middleware/request_id.rb:22:in `call'
  rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
  rack (1.4.5) lib/rack/runtime.rb:17:in `call'
  activesupport (3.2.13) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
  rack (1.4.5) lib/rack/lock.rb:15:in `call'
  actionpack (3.2.13) lib/action_dispatch/middleware/static.rb:63:in `call'
  airbrake (3.1.12) lib/airbrake/user_informer.rb:16:in `_call'
  airbrake (3.1.12) lib/airbrake/user_informer.rb:12:in `call'
  railties (3.2.13) lib/rails/engine.rb:479:in `call'
  railties (3.2.13) lib/rails/application.rb:223:in `call'
  railties (3.2.13) lib/rails/railtie/configurable.rb:30:in `method_missing'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:145:in `handle'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:99:in `rescue in block (2 levels) in start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:96:in `block (2 levels) in start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `each'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:86:in `block in start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `loop'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:66:in `start'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/lib/nack/server.rb:13:in `run'
  /Users/jasl/Library/Application Support/Pow/Versions/0.4.1/node_modules/nack/bin/nack_worker:4:in `'

另外，我大概看过一些twiiter api proxy工具，都比较老，还在使用即将作废的1.0版api，所以就不考虑了

请教：

• 有什么好的国内主机使用twitter oauth api的方案？
• 我感觉我想到的两个方案理论上都是可行的，但哪里出问题或者我没考虑到导致失败呢？
• 有什么办法截取代理服务器出去的包？tcpdump nc都是针对socket的，对于只想观察request来说 非常重，而且难用。。。

感谢！

@luikore @hooopo @yedingding @quakewang @bhuztez @lgn21st

原文地址：请教服务器迁移到国内后 twitter oauth 的 proxy 问题, 感谢原作者分享。