Nginx 没有从远程框外响应

Nginx not responding from outside the remote box

我的网站 (Django/nginx/gunicorn/mysql) 托管在远程盒子上,工作正常,直到我出于某种原因决定重新启动远程盒子。所以重启后,当我在远程框中说 curl -IL -H -GET my.web.address 它工作正常。但是,当我从外部尝试相同的命令时,它报告 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address

感谢任何帮助。请在下面找到我检查过的相关内容。

我使用的是CentOS 7系统。我主要使用 this tutorial

nginx 正在监听正确的端口

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3425/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3425/nginx: master

防火墙(查看 ufw 结果)允许我的端口

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (SSH)               ALLOW IN    Anywhere                  
224.0.0.251 5353/udp (mDNS) ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
22/tcp (SSH (v6))          ALLOW IN    Anywhere (v6)             
ff02::fb 5353/udp (mDNS)   ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)

sestatus

SELinux status: disabled

nmap 的输出以检查端口状态

nmap -sT my.ip.address

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
3306/tcp open  mysql

nginx.conf

的内容
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

我的 nginx.conf

服务器块
server {
    server_name my.ip.address my.web.address;
    error_log /srv/www/myweb/logs/error.log;
    access_log /srv/www/myweb/logs/access.log;
    charset utf-8;

    location /static/{
        alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/;
    }

    location /{
        proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = my.ip.address) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = my.web.address) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

      listen 80;
      server_name my.ip.address my.web.address;
    return 404; # managed by Certbot

}

我已经检查了我的 sock 文件权限,它们由各自的用户正确地启动。文件权限设置正确。

gunicorn.service 文件的内容

[Unit]
Description=gunicorn daemon
After=network.target

[Service]
User=user
Group=nginx
WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src
ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application

[Install]
WantedBy=multi-user.target

同时,为了确保我的问题与 Lets encrypt 服务器证书无关,我对 nginx.conf 进行了更改以仅使用 HTTP。

下面是 curl -IL -GET my.domain.name 的输出,当我 运行 它在我的远程盒子上时:

HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Fri, 06 Mar 2020 08:26:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7918
Connection: keep-alive
X-Frame-Options: SAMEORIGIN

我得到与上面相同的输出,而 运行 IP 地址。

当我从我的笔记本电脑 运行 curl 时,我得到 curl: (52) Empty reply from server 作为包含域名和 IP 地址的响应。

我从我的笔记本电脑上对服务器进行了 ping 操作(均使用 IP 和域名),它们 send/receive 数据包。域名与 IP 正确映射。我还使用 nslookup

验证了它

因为我禁用了 HTTPS,所以 TLS 版本并不重要,不是吗?

此外,我使用 ufw 禁用了防火墙。我查了 iptables -L 规则。我是这方面的新手,但对我来说,远程服务器的结果似乎旨在接受任何传入连接。

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

所以问题已经解决了!

问题是不知何故,UFW 规则没有更新 iptables 条目以允许端口 80/443。

我用下面的命令手动修改了它。

iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT