我正在创build一个新的HTTPS服务器,我希望能够公开提供。 这是在Ubuntu 16.04上。
我有困难,该网站不能被远程看到。 我已经正确地configuration了允许访问相应的服务器的路由器,实际上服务器的UFW日志似乎表明请求确实进入,但是被阻止:
Mar 5 07:07:18 oc9 kernel: [35729.338614] [UFW BLOCK] IN=ens32 OUT= MAC=00:0c:29:53:67:c0:2c:56:dc:54:96:a8:08:00 SRC=192.168.158.175 DST=192.168.158.64 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52285 DF PROTO=TCP SPT=47801 DPT=515 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 5 07:08:01 oc9 kernel: [35772.752517] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 Mar 5 07:08:56 oc9 kernel: [35827.268215] [UFW BLOCK] IN=ens33 OUT= MAC=01:00:5e:00:00:01:40:b7:f3:dd:a5:40:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 Mar 5 07:10:06 oc9 kernel: [35897.823432] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 我正在使用UFW,其状态是:
ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 80,443/tcp (Apache Full) ALLOW IN Anywhere 22/tcp (OpenSSH) ALLOW IN Anywhere 80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6) 22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
我所知道的最后一件事是iptables -vL的输出,但是我不知道我在看什么。
Chain INPUT (policy DROP 835 packets, 34384 bytes) pkts bytes target prot opt in out source destination 57949 3365K ufw-before-logging-input all -- any any anywhere anywhere 57949 3365K ufw-before-input all -- any any anywhere anywhere 53255 2900K ufw-after-input all -- any any anywhere anywhere 835 34384 ufw-after-logging-input all -- any any anywhere anywhere 835 34384 ufw-reject-input all -- any any anywhere anywhere 835 34384 ufw-track-input all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- any any anywhere anywhere 0 0 ufw-before-forward all -- any any anywhere anywhere 0 0 ufw-after-forward all -- any any anywhere anywhere 0 0 ufw-after-logging-forward all -- any any anywhere anywhere 0 0 ufw-reject-forward all -- any any anywhere anywhere 0 0 ufw-track-forward all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3514 644K ufw-before-logging-output all -- any any anywhere anywhere 3514 644K ufw-before-output all -- any any anywhere anywhere 75 5592 ufw-after-output all -- any any anywhere anywhere 75 5592 ufw-after-logging-output all -- any any anywhere anywhere 75 5592 ufw-reject-output all -- any any anywhere anywhere 75 5592 ufw-track-output all -- any any anywhere anywhere Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 772 60972 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns 879 215K ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm 203 12180 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds 19 7798 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc 50547 2570K ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 835 34384 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ufw-user-forward all -- any any anywhere anywhere Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 160 11840 ACCEPT all -- lo any anywhere anywhere 4481 448K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 1 40 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID 1 40 DROP all -- any any anywhere anywhere ctstate INVALID 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem 3 252 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 4 1312 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc 53300 2903K ufw-not-local all -- any any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900 53300 2903K ufw-user-input all -- any any anywhere anywhere Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 160 11840 ACCEPT all -- any lo anywhere anywhere 3279 627K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 75 5592 ufw-user-output all -- any any anywhere anywhere Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 1 40 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 587 36448 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL 564 18056 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST 52149 2848K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10 0 0 DROP all -- any any anywhere anywhere Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 52420 2866K DROP all -- any any anywhere anywhere Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 16 960 ACCEPT tcp -- any any anywhere anywhere ctstate NEW 59 4632 ACCEPT udp -- any any anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 43 2532 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https /* 'dapp_Apache%20Full' */ 2 104 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */ Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination
这是“ss -ltnp”的输出: State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:3306 : users:(("mysqld",pid=1594,fd=16)) LISTEN 0 128 *:22 : users:(("sshd",pid=1285,fd=3)) LISTEN 0 128 :::80 :::* users:(("apache2",pid=1947,fd=4),("apache2",pid=1944,fd=4),("apache2",pid=1943,fd=4),("apache2",pid=1942,fd=4),("apache2",pid=1941,fd=4),("apache2",pid=1940,fd=4),("apache2",pid=1937,fd=4)) LISTEN 0 128 :::22 :::* users:(("sshd",pid=1285,fd=4)) LISTEN 0 128 :::443 :::* users:(("apache2",pid=1947,fd=6),("apache2",pid=1944,fd=6),("apache2",pid=1943,fd=6),("apache2",pid=1942,fd=6),("apache2",pid=1941,fd=6),("apache2",pid=1940,fd=6),("apache2",pid=1937,fd=6))
这是来自“openssl s_client -connect 192.168.158.158:443:
openssl s_client -connect 192.168.158.158:443 CONNECTED(00000003) depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] i:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIID6TCCAtGgAwIBAgIJANpH0YKSCE+FMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD et cetera q3jJ5FRjd6cWaPKJ25UeMdKJCbpCnmlLadMy3oSDTfqk3UTymhUiJhIgm9S2 -----END CERTIFICATE----- subject=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] issuer=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1517 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: AAC21087FEAB3ED0D391F3C5AF78FCCF717AE456D107591B7B9FDADD03E44D4C Session-ID-ctx: Master-Key: 9FA0F50D914170495DCEDFE73AEA1AFDC86491C814F582794C4D55C2265EDC1415A57ADC282992ADF5DC6AF4161F6D19 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1488762616 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
我可以检查什么,看看哪里出了问题?
在你iptables输出,你要找的是在ufw用户input链
第一行启用端口80和443,在那里它是multiport dports http,https
我想你是在误读ufw日志。 在那里你看到DST=224.0.0.1这意味着你的防火墙阻止多播,在第一行你可以看到DPT=515 ,这意味着目标端口是515而不是443。
为了确保防火墙不会阻止你,你可以尝试在远程主机telnet $HTTP_SERVER 443 。 如果您被阻止,您应立即拒绝连接,因为您的基本政策被deny
事实certificate,由于AT&T对其固件进行了更改,NVG589路由器不会将NAT /游戏stream量引导至新的DHCP派生地址。 如果您在固件升级时指定了一个dynamic地址,则似乎没有问题,但是任何新的地址都不能用于端口通路。 没有错误信息,没有警告,也没有迹象表明它为什么不起作用,或者它的工作 – 也没办法看到防火墙在做什么。
无论如何,这是通过为服务器指定一个固定的IP地址(在路由器上),然后重新configurationHTTPS协议来解决的。