服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx的SSL HTTPS不能正常工作,甚至防火墙是打开的
Intereting Posts
我怎样才能修复与gluster自我愈合目录总大小 WSUS电子邮件通知 为什么我在IIS 6的网站的根域中获取404? 通过batch file在远程系统上灌输软件 Exchange Server 2013上的巨大mail.que文件 Apache子域不能正常工作 定期备份一个MySQL数据库 学习Windows Server 2008 DNS的资源 如何使用apache 2.2在html布局中包装所有的html响应? 在Linux上使用rsync进行复制时如何跳过带有读取错误的文件? ubuntu中/ proc / diskstats的输出 为什么我要在一台计算机上拥有多个IP? UPS和服务器基础设施 如何将chkconfig结果输出到shell脚本中的文件? Htaccess使用单个RewriteRuleredirect到https和www

Nginx的SSL HTTPS不能正常工作,甚至防火墙是打开的

HTTP从服务器和客户端正常工作。 HTTPs只能在服务器上运行。 我能做些什么来使HTTP在外部工作?

从服务器 

OpenSSL : OpenSSL 1.0.2g 1 Mar 2016 Nginx : nginx/1.10.3 OS : Ubuntu 14.04.5 LTS NodeJS : v6.10.2

我有一台服务器上的127.0.0.1:5000绑定的127.0.0.1的nodejs express服务器。

我已经build立了一个反向代理到这个nodejs express服务器。 这是我的nginxconfiguration文件: 

 upstream nodejs { server 127.0.0.1:5000 fail_timeout=10s; } server { listen 80; listen 443 ssl; server_name domain.foo; ssl_certificate /etc/letsencrypt/live/domain.foo/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.foo/privkey.pem; location /.well-known { root /var/www/ssl-proof/default/; } location / { proxy_pass http://nodejs; proxy_read_timeout 90; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_redirect off; } }

让我们encryption工作正常我已经完成openssl s_client -connect domain.foo:443从服务器,我得到没有问题的证书。 curl -k -vvv https://domain.foo也工作正常。

这是我的服务器上的ufw status 

 443/tcp ALLOW Anywhere 22 ALLOW Anywhere 1194 ALLOW Anywhere Nginx Full ALLOW Anywhere Nginx HTTP ALLOW Anywhere Nginx HTTPS ALLOW Anywhere 5000 ALLOW Anywhere 443/tcp (v6) ALLOW Anywhere (v6) 22 (v6) ALLOW Anywhere (v6) 1194 (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6) Nginx HTTPS (v6) ALLOW Anywhere (v6)

从客户端

这里是从客户端到服务器的nmap 

 rDNS record for XXXX: domain.foo Not shown: 996 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5000/tcp closed upnp Nmap done: 1 IP address (1 host up) scanned in 5.75 seconds

当我尝试运行openssl s_client -connect domain.foo:443 -debug -msg 。 这是我得到的: 

 CONNECTED(00000003) write to 0x19a5fc0 [0x19a6040] (315 bytes => 315 (0x13B)) 0000 - 16 03 01 01 36 01 00 01-32 03 03 52 50 26 f0 79 ....6...2..RP&.y 0010 - 67 6c 18 e4 dc 90 e4 47-f0 66 62 9a 3b 66 84 8b gl.....G.fb.;f.. 0020 - 81 7e 6f ad cd 61 39 f8-de e4 e1 00 00 b4 c0 30 .~o..a9........0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$.......... 0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...kjih9.8.7 0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...* 0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../ 0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#.......... 0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1 0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........EDC 00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%...... 00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02 .<./...A........ 00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d ................ 00d0 - c0 0d c0 03 00 0a 00 15-00 12 00 0f 00 0c 00 09 ................ 00e0 - 00 ff 01 00 00 55 00 0b-00 04 03 00 01 02 00 0a .....U.......... 00f0 - 00 1c 00 1a 00 17 00 19-00 1c 00 1b 00 18 00 1a ................ 0100 - 00 16 00 0e 00 0d 00 0b-00 0c 00 09 00 0a 00 23 ...............# 0110 - 00 00 00 0d 00 20 00 1e-06 01 06 02 06 03 05 01 ..... .......... 0120 - 05 02 05 03 04 01 04 02-04 03 03 01 03 02 03 03 ................ 0130 - 02 01 02 02 02 03 00 0f-00 01 01 ........... >>> TLS 1.2 [length 0005] 16 03 01 01 36 >>> TLS 1.2 Handshake [length 0136], ClientHello 01 00 01 32 03 03 52 50 26 f0 79 67 6c 18 e4 dc 90 e4 47 f0 66 62 9a 3b 66 84 8b 81 7e 6f ad cd 61 39 f8 de e4 e1 00 00 b4 c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 c0 12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 15 00 12 00 0f 00 0c 00 09 00 ff 01 00 00 55 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 01 read from 0x19a5fc0 [0x19ab5a0] (7 bytes => 0 (0x0)) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1493896114 Timeout : 300 (sec) Verify return code: 0 (ok) ---

这是前一次调用的服务器上的tcpdump -vvv port 443 

 tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 07:14:35.760888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) domain.foo.htps > li470-25.client.foo.51928: Flags [S.], cksum 0x07a5 (correct), seq 3770024728, ack 3716645599, win 14480, options [mss 1460,sackOK,TS val 1825234083 ecr 129546331,nop,wscale 7], length 0 07:14:35.813457 IP (tos 0x0, ttl 52, id 14982, offset 0, flags [DF], proto TCP (6), length 52) li470-25.client.foo.51928 > domain.foo.htps: Flags [.], cksum 0x6e0d (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 129546346 ecr 1825234083], length 0 07:14:35.813698 IP (tos 0x0, ttl 52, id 14983, offset 0, flags [DF], proto TCP (6), length 367) li470-25.client.foo.51928 > domain.foo.htps: Flags [P.], cksum 0x22c2 (correct), seq 1:316, ack 1, win 229, options [nop,nop,TS val 129546346 ecr 1825234083], length 315 07:14:35.813717 IP (tos 0x0, ttl 64, id 57281, offset 0, flags [DF], proto TCP (6), length 52) domain.foo.htps > li470-25.client.foo.51928: Flags [.], cksum 0x6d08 (correct), seq 1, ack 316, win 122, options [nop,nop,TS val 1825234136 ecr 129546346], length 0 07:14:35.814087 IP (tos 0x0, ttl 64, id 57282, offset 0, flags [DF], proto TCP (6), length 52) domain.foo.htps > li470-25.client.foo.51928: Flags [F.], cksum 0x6d07 (correct), seq 1, ack 316, win 122, options [nop,nop,TS val 1825234136 ecr 129546346], length 0 07:14:35.866972 IP (tos 0x0, ttl 52, id 14984, offset 0, flags [DF], proto TCP (6), length 52) li470-25.client.foo.51928 > domain.foo.htps: Flags [F.], cksum 0x6c8b (correct), seq 316, ack 2, win 229, options [nop,nop,TS val 129546362 ecr 1825234136], length 0 07:14:35.867009 IP (tos 0x0, ttl 64, id 57283, offset 0, flags [DF], proto TCP (6), length 52) domain.foo.htps > li470-25.client.foo.51928: Flags [.], cksum 0x6cc1 (correct), seq 2, ack 317, win 122, options [nop,nop,TS val 1825234189 ecr 129546362], length 0

当我尝试运行curl -k -vvv https://domain.foo这是我得到: 

 * About to connect() to domain.foo port 443 (#0) * Trying XXXX. connected * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to domain.foo:443 * Closing connection #0 curl: (35) Unknown SSL protocol error in connection to domain.foo:443

当我在浏览器上访问https//domain.foo时,我只是从chrome获得一个ERR_CONNECTION_CLOSED

我能做些什么来使HTTP在外部工作?