Nginx 没有从远程框外响应
Nginx not responding from outside the remote box
我的网站 (Django/nginx/gunicorn/mysql) 托管在远程盒子上,工作正常,直到我出于某种原因决定重新启动远程盒子。所以重启后,当我在远程框中说 curl -IL -H -GET my.web.address 它工作正常。但是,当我从外部尝试相同的命令时,它报告 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address。
感谢任何帮助。请在下面找到我检查过的相关内容。
我使用的是CentOS 7系统。我主要使用 this tutorial
nginx 正在监听正确的端口
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3425/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3425/nginx: master
防火墙(查看 ufw 结果)允许我的端口
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (SSH) ALLOW IN Anywhere
224.0.0.251 5353/udp (mDNS) ALLOW IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (SSH (v6)) ALLOW IN Anywhere (v6)
ff02::fb 5353/udp (mDNS) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
sestatus
SELinux status: disabled
nmap 的输出以检查端口状态
nmap -sT my.ip.address
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
nginx.conf
的内容
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
我的 nginx.conf
服务器块
server {
server_name my.ip.address my.web.address;
error_log /srv/www/myweb/logs/error.log;
access_log /srv/www/myweb/logs/access.log;
charset utf-8;
location /static/{
alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/;
}
location /{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my.ip.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = my.web.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name my.ip.address my.web.address;
return 404; # managed by Certbot
}
我已经检查了我的 sock 文件权限,它们由各自的用户正确地启动。文件权限设置正确。
gunicorn.service 文件的内容
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=user
Group=nginx
WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src
ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application
[Install]
WantedBy=multi-user.target
同时,为了确保我的问题与 Lets encrypt 服务器证书无关,我对 nginx.conf 进行了更改以仅使用 HTTP。
下面是 curl -IL -GET my.domain.name 的输出,当我 运行 它在我的远程盒子上时:
HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Fri, 06 Mar 2020 08:26:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7918
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
我得到与上面相同的输出,而 运行 IP 地址。
当我从我的笔记本电脑 运行 curl 时,我得到 curl: (52) Empty reply from server 作为包含域名和 IP 地址的响应。
我从我的笔记本电脑上对服务器进行了 ping 操作(均使用 IP 和域名),它们 send/receive 数据包。域名与 IP 正确映射。我还使用 nslookup
验证了它
因为我禁用了 HTTPS,所以 TLS 版本并不重要,不是吗?
此外,我使用 ufw 禁用了防火墙。我查了 iptables -L 规则。我是这方面的新手,但对我来说,远程服务器的结果似乎旨在接受任何传入连接。
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
所以问题已经解决了!
问题是不知何故,UFW 规则没有更新 iptables 条目以允许端口 80/443。
我用下面的命令手动修改了它。
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
我的网站 (Django/nginx/gunicorn/mysql) 托管在远程盒子上,工作正常,直到我出于某种原因决定重新启动远程盒子。所以重启后,当我在远程框中说 curl -IL -H -GET my.web.address 它工作正常。但是,当我从外部尝试相同的命令时,它报告 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address。
感谢任何帮助。请在下面找到我检查过的相关内容。
我使用的是CentOS 7系统。我主要使用 this tutorial
nginx 正在监听正确的端口
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3425/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3425/nginx: master
防火墙(查看 ufw 结果)允许我的端口
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (SSH) ALLOW IN Anywhere
224.0.0.251 5353/udp (mDNS) ALLOW IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (SSH (v6)) ALLOW IN Anywhere (v6)
ff02::fb 5353/udp (mDNS) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
sestatus
SELinux status: disabled
nmap 的输出以检查端口状态
nmap -sT my.ip.address
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
nginx.conf
的内容
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
我的 nginx.conf
服务器块
server {
server_name my.ip.address my.web.address;
error_log /srv/www/myweb/logs/error.log;
access_log /srv/www/myweb/logs/access.log;
charset utf-8;
location /static/{
alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/;
}
location /{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my.ip.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = my.web.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name my.ip.address my.web.address;
return 404; # managed by Certbot
}
我已经检查了我的 sock 文件权限,它们由各自的用户正确地启动。文件权限设置正确。
gunicorn.service 文件的内容
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=user
Group=nginx
WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src
ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application
[Install]
WantedBy=multi-user.target
同时,为了确保我的问题与 Lets encrypt 服务器证书无关,我对 nginx.conf 进行了更改以仅使用 HTTP。
下面是 curl -IL -GET my.domain.name 的输出,当我 运行 它在我的远程盒子上时:
HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Fri, 06 Mar 2020 08:26:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7918
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
我得到与上面相同的输出,而 运行 IP 地址。
当我从我的笔记本电脑 运行 curl 时,我得到 curl: (52) Empty reply from server 作为包含域名和 IP 地址的响应。
我从我的笔记本电脑上对服务器进行了 ping 操作(均使用 IP 和域名),它们 send/receive 数据包。域名与 IP 正确映射。我还使用 nslookup
因为我禁用了 HTTPS,所以 TLS 版本并不重要,不是吗?
此外,我使用 ufw 禁用了防火墙。我查了 iptables -L 规则。我是这方面的新手,但对我来说,远程服务器的结果似乎旨在接受任何传入连接。
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
所以问题已经解决了!
问题是不知何故,UFW 规则没有更新 iptables 条目以允许端口 80/443。
我用下面的命令手动修改了它。
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT