服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx在端口443上侦听,防火墙closures仍然无法连接
Intereting Posts
check_snmp_mem.pl Icinga2configuration中断 每分钟从plesk的计划任务运行perl文件 有什么方法(在Linux中)设置sy​​slog如何写入其时间戳 有关域控制器的问题 在Linux中使用mdadm for Root磁盘创buildRAID 1: 桌面带外pipe理有哪些select? 在nginx中将http://example.com:12345redirect到https://example.com:12345 select正确的服务器机架宽度 我怎样才能从下载的软件包中创build一个yum存储库? 如何在更新过程中解决yum错误 – CentOS 更改SQL Server FileStreampath 检测数据库入侵的最佳策略是什么? EC2用户数据脚本没有find命令 从path获取进程ID 故障排除packetloss

Nginx在端口443上侦听,防火墙closures仍然无法连接

netstat输出: 

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -

UFW处于非活动状态。 该网站在数字海洋上的一个水滴托pipe,他们允许所有的端口。 如果我运行tcpdump并尝试访问网站,它显示一个连接,但浏览器返回拒绝连接错误。 本地主机上显示端口443是打开的,但如果我在实际的服务器上运行它,它显示它是closures的。 如上所示,Nginx正在端口443上正确侦听。

Nginx.conf 

 user admin root; worker_processes auto; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' '$ssl_protocol/$ssl_cipher '; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; include /etc/nginx/conf.d/*.conf; }

服务器块 

 server { listen 80; listen 443 ssl; server_name vechi.juristnet.ro; ssl_certificate /etc/letsencrypt/live/juristnet.ro/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/juristnet.ro/privkey.pem; root /var/juristnet/stable; location / { index index.php index.html; rewrite_log on; rewrite ^\/([a-zA-Z-]*)\/?([a-zA-Z-]*)$ /index.php?page=$1&subpage=$2 last; } location /.well-known/{ allow all; } location ~ \.php$ { fastcgi_keep_conn on; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/fastcgi_params; } } server { listen 80; server_name juristnet.ro www.juristnet.ro; root /var/test/proiect; client_max_body_size 10M; location = /favicon.ico { access_log off; log_not_found off; alias /var/test/proiect/favicon.ico; } location /static/ { autoindex on; } location /assets/ { autoindex on; alias /var/test/proiect/assets/; } location ~ /.well-known/ { allow all; } location / { include /etc/nginx/fastcgi_params; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_pass http://unix:/var/test/proiect/Tutorial2.sock; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; } }

编辑:netstat -tulepn 

 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 7246832 8864/nginx.conf tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 12588 1003/sshd tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 109 13486 1131/postgres tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 7246833 8864/nginx.conf tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 108 15831 1067/mysqld tcp6 0 0 :::8080 :::* LISTEN 107 18201 1356/java tcp6 0 0 :::22 :::* LISTEN 0 12594 1003/sshd tcp6 0 0 :::30845 :::* LISTEN 0 14246 1207/docker-proxy

TCPdump输出: 

 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:28:15.632611 IP 82.208.159.43.60840 > 46.101.111.197.https: Flags [S], seq 419699944, win 29200, options [mss 1380,sackOK,TS val 17904800 ecr 0,nop,wscale 7], length 0 16:28:15.632776 IP 82.208.159.43.24434 > 46.101.111.197.https: Flags [S], seq 1740044749, win 29200, options [mss 1380,sackOK,TS val 17904800 ecr 0,nop,wscale 7], length 0 16:28:15.632940 IP 46.101.111.197.https > 82.208.159.43.60840: Flags [R.], seq 0, ack 419699945, win 0, length 0 16:28:15.632964 IP 46.101.111.197.https > 82.208.159.43.24434: Flags [R.], seq 0, ack 1740044750, win 0, length 0

更新:iptables -t nat -L -v -n 

 Chain PREROUTING (policy ACCEPT 2106 packets, 120K bytes) pkts bytes target prot opt in out source destination 2604 148K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 2084 packets, 118K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16610 packets, 1025K bytes) pkts bytes target prot opt in out source destination 7017 421K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 17125 packets, 1055K bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:443 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30845 to:172.17.0.2:80 515 29760 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.17.0.2:443

这不是每个人的解决scheme,但在我的情况下,它与Docker有关。 我没有把它用于我的网站,但我认为它仍然以某种方式与连接进行交互。 我停止了服务,现在它运作。 我可以通过添加一些规则来显示端口,但是这样做了。