所以,我正在尝试让Nginx通过https服务我的网站,但它一直在打我,拒绝连接错误。
所以这里的输出是:
curlhttps://juristnet.ro (这是网站)
curl: (7) Failed to connect to juristnet.ro port 443: Connection refused netstat -anltp
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 46.101.111.197:80 66.249.64.215:60905 TIME_WAIT - tcp 0 0 46.101.111.197:80 66.249.64.211:57434 ESTABLISHED - tcp 0 0 46.101.111.197:22 82.208.159.43:26902 ESTABLISHED - tcp 0 476 46.101.111.197:22 82.208.159.43:11648 ESTABLISHED - tcp 0 0 46.101.111.197:22 223.99.60.37:16862 ESTABLISHED - tcp6 0 0 :::8080 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::30845 :::* LISTEN -
正如你所看到的,443端口是打开的,Nginx正在监听
80/tcp open http 443/tcp open https 3306/tcp open mysql 5432/tcp open postgresql
Nmap显示端口是开放的。
UFW是不活动的,所以没有防火墙的问题。 这是digitalocean上的一个小滴,所以没有转发问题。
iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere localhost tcp spts:1024:65535 dpt:https state NEW,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:https
我的Nginx.conf:
user admin root; worker_processes auto; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; include /etc/nginx/conf.d/*.conf; }
我的其他conf(服务器块):
server { listen 80; listen 443 ssl; server_name juristnet.ro www.juristnet.ro; keepalive_timeout 70; ssl_certificate /etc/letsencrypt/live/juristnet.ro/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/juristnet.ro/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; root /var/test/proiect; client_max_body_size 10M; location = /favicon.ico { access_log off; log_not_found off; alias /var/test/proiect/favicon.ico; } location /static/ { autoindex on; } location /assets/ { autoindex on; alias /var/test/proiect/assets/; } location ~ /.well-known/ { allow all; } location / { include /etc/nginx/fastcgi_params; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_pass http://unix:/var/test/proiect/Tutorial2.sock; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; }
还有另一个子域名,但我猜这是不相关的。
nginx的错误日志和访问日志没有显示任何特别的东西。
证书是从letsencrypt获得的。 如果我尝试绑定gunicorn
因为它在0.0.0.0:8000上,使用–keyfile和–certfile选项,它可以使用https,所以我猜这是一个nginx问题。 或者,也许我需要添加这些设置的地方? 无论如何,我已经在这个问题上抨击了两天,所以如果有人能够解决这个问题的话,我会非常感激的。
我解决了这个问题,但这不是一个通用的解决scheme。 就我而言,Docker干涉了iptables,并且不允许在端口443上连接。在我从Docker中暴露端口后,它开始工作。