Yaws 网络服务器 运行 通过 HTTP 但不是通过 HTTPS
Yaws webserver running via HTTP but not via HTTPS
我有雅司病网络服务器。我正在尝试通过本地网络中的 https 进行连接。
当我在 yaws.conf 中为 http 设置我的服务器时,如下所示,当我在浏览器
中通过 http://0.0.0.0:80/myappmod 连接时一切正常
<server *:80>
port = 80
listen = 0.0.0.0
docroot = /home/anyuser/anydir/
auth_log = true
appmods = </, myappmod>
</server>
但是下面的配置(使用 ssl)没有:(我通过 https://0.0.0.0:443/myappmod 连接)
<server mydomain.com>
port = 443
docroot = /home/anyuser/anydir/
listen = 0.0.0.0
dir_listings = true
auth_log = true
appmods = </, myappmod>
<ssl>
keyfile = /home/anyuser/private-key.pem
certfile = /home/anyuser/cert_by_ca.pem
depth = 0
</ssl>
</server>
该证书由证书颁发机构正式颁发,一般适用于“mydomain.com”下的其他网络服务器。
私钥格式是这样
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7WBJR0YV9bq4P
...
CAy+LaJpyW/b2vQ+He7t/rg=
-----END PRIVATE KEY-----
而.crt文件是这样的格式:
-----BEGIN CERTIFICATE-----
MIIGgjCCBWqgAwIBAgIIZiCEI/Q/x7gwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
...
1CtNn+5v4lBpgzWS0ZSv5xkeskHjzXnRbjl7jzbkwUdseCZHwXc=
-----END CERTIFICATE-----
当我尝试连接时,我在 Chrome 和 PR_END_OF_FILE_ERROR[=65 中得到 ERR_CONNECTION_RESET =] 在火狐中。
我究竟做错了什么?我在官方 yaws 文档中找不到有关配置的更多信息。有人可以帮忙吗?
编辑:
trace.log 来自 curl -v -k --trace-ascii trace.log https://0.0.0.0:443/ 的输出:
== Info: Trying 0.0.0.0:443...
== Info: Connected to 0.0.0.0 (127.0.0.1) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: TLSv1.0 (OUT), TLS header, Certificate Status (22):
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: .......w.`0V;k.z;7...}1..Y..5.;..WjO.. .4.,30.....L.......3.../.
0040: ..Y.....>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./.....u..................................3t.........h2.http/
00c0: 1.1.........1.....*.(.........................................+.
0100: .......-.....3.&.$... ....d>..xlz#..H.V...|.R.s.k.t..r..........
0140: ................................................................
0180: ................................................................
01c0: ................................................................
== Info: OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt in connection to 0.0.0.0:443
== Info: Closing connection 0
== Info: TLSv1.3 (OUT), TLS alert, decode error (562):
=> Send SSL data, 2 bytes (0x2)
0000: .2
EDIT2: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt 意思是:The connection was reset by the communication partner in English.
解码错误 (562) 是否由于证书文件编码无效?我必须承认,我从 godaddy.com 得到了 2 个文件:一个 .pem 和一个 .crt 文件。他们的内容和我看起来一模一样。内容如上。(我用的是yaws.conf中的.pem文件)。我使用的密钥文件是我从 godaddy.com 上的证书签名请求复制的输出。 (只需从他们的 Web-TextBox 中复制它并将其粘贴到 ubuntu 上的 .txt 文件中)。
编辑 3:
openssl s_client -connect mydomain.com:443(dns 适用于 http//mydomain.de:80)给我:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 310 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
编辑4:
所以我产生了更多的输出。首先我验证,我的证书没问题。因此,我通过以下方式制作了一个 openssl-client 和服务器:
openssl s_server -accept 8443 -cert /etc/mydomain.pem -key /etc/mydomain.key -CAfile /etc/gd_bundle-g2-g1.crt
openssl s_client -connect localhost:8443 -cert /etc/mydomain.pem -key /etc/mydomain.key -CAfile /etc/gd_bundle-g2-g1.crt -verify 8 -verify_hostname mydomain.de
这导致握手成功:
... Certificate and other data I do not want to post and:
SSL handshake has read 5658 bytes and written 373 bytes
Verification: OK
Verified peername: mydomain.de
... more data
然后我使用以下配置文件设置了一个 http 和一个 http 服务器。我进一步保证 .pem 和 .key 文件可以通过使用 chmod +777 的 yaws 访问(我知道这很糟糕,但我只是想确定一下)。然后我启动了 yaws 服务器(具有 root 权限,我知道这也是邪恶的,但直到我弄清楚如何以非 root 身份绑定到特权端口,我才这样做只是为了测试)
logdir = /var/log/yaws
ebin_dir = /usr/local/lib/yaws-appmods/ebin
include_dir = /usr/local/lib/yaws-appmods/include
max_connections = nolimit
keepalive_maxuses = nolimit
process_options = "[]"
acceptor_pool_size = 8
trace = false
use_old_ssl = false
copy_error_log = true
log_wrap_size = 0
log_resolve_hostname = false
fail_on_bind_err = true
pick_first_virthost_on_nomatch = false
keepalive_timeout = 30000
sni = enable
<server mydomain.de>
port = 80
listen = 192.168.178.75
docroot = /home/my_non_root_user/my_appmod/
auth_log = true
appmods = </, my_appmod>
</server>
<server mydomain.de>
port = 443
docroot = /home/my_non_root_user/my_appmod/
listen = 192.168.178.75
dir_listings = true
auth_log = true
appmods = </, my_appmod>
<ssl>
keyfile = /etc/mydomain.key
certfile = /etc/mydomain.pem
depth = 0
</ssl>
</server>
我也尝试提供 ca-bundle,设置更高的深度,并尝试使用其他一些参数,但都没有成功。我遇到了与上述相同的错误。在下面的 yaws 输出中,只能看到 http 正在运行。当我尝试通过 https 连接时,没有产生任何输出。没有工人,等等。总的来说,我对雅司和网络服务器还很陌生。我非常喜欢erlang,只想拥有一个属于我自己的小型网络服务器。没有生产就绪的复杂解决方案。我想我在我的配置文件中做错了什么或者对整个网络服务器概念的了解不完整。
1> =INFO REPORT==== 30-Jan-2022::21:16:55.826108 ===
Yaws: Using config file /etc/yaws/yaws.conf
=ERROR REPORT==== 30-Jan-2022::21:16:55.839289 ===
use_old_ssl in yaws.conf is no longer supported - ignoring
=INFO REPORT==== 30-Jan-2022::21:16:55.904479 ===
yaws debug:Add path "/usr/local/lib/yaws-appmods/ebin"
=INFO REPORT==== 30-Jan-2022::21:16:55.906202 ===
yaws debug:Add path "/usr/lib/yaws/examples/ebin"
=INFO REPORT==== 30-Jan-2022::21:16:55.906272 ===
yaws debug:Running with id="default"
Running with debug checks turned on (slower server)
Logging to directory "/var/log/yaws"
=INFO REPORT==== 30-Jan-2022::21:16:55.911016 ===
Ctlfile : /root/.yaws/yaws/default/CTL
=INFO REPORT==== 30-Jan-2022::21:16:55.911698 ===
sync call startup:start
ENSURE SSL: {ok,[]}
=INFO REPORT==== 30-Jan-2022::21:16:56.045817 ===
Trace directory "/var/log/yaws/trace_20220130_211656" created
=INFO REPORT==== 30-Jan-2022::21:16:56.055200 ===
Yaws: Listening to 192.168.178.75:443 for <1> virtual servers:
- https://mydomain.de under /home/my_non_root_user/my_appmod
=INFO REPORT==== 30-Jan-2022::21:16:56.055388 ===
Yaws: Listening to 192.168.178.75:80 for <1> virtual servers:
- http://mydomain.de under /home/my_non_root_user/my_appmod
Worker: <0.194.0>
[2022-01-30 21:17:15.987] ===== CLI -> SRV =====
New (nossl) connection from 80.*.*.*:57260 // * are manually hidden numbers for Whosebug post
Worker: <0.200.0>
[2022-01-30 21:17:15.987] ===== CLI -> SRV =====
New (nossl) connection from 80.*.*.*:57262 // here too
Worker: <0.200.0>
[2022-01-30 21:17:15.994] ===== CLI -> SRV =====
GET / HTTP/1.1
Connection: keep-alive
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/avif, image/webp, image/apng, */*;q=0.8, application/signed-exchange;v=b3;q=0.9
Host: mydomain.de
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Cookie: pvisitor=cc2529f0-abf8-4e78-80d2-85908b25f227
Accept-Language: en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Worker: <0.200.0>
[2022-01-30 21:17:15.996] ===== SRV -> CLI =====
HTTP/1.1 200 OK
Server: Yaws 2.1.0
Date: Sun, 30 Jan 2022 20:17:15 GMT
Content-Length: 46
Content-Type: text/html
Worker: <0.200.0>
[2022-01-30 21:17:16.203] ===== CLI -> SRV =====
Connection: keep-alive
Accept: image/avif, image/webp, image/apng, image/svg+xml, image/*, */*;q=0.8
Host: mydomain.de
Referer: http://mydomain.de/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Cookie: pvisitor=cc2529f0-abf8-4e78-80d2-85908b25f227
Accept-Language: en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7
Accept-Encoding: gzip, deflate
Worker: <0.200.0>
[2022-01-30 21:17:16.203] ===== SRV -> CLI =====
HTTP/1.1 405 Method Not Allowed
Server: Yaws 2.1.0
Date: Sun, 30 Jan 2022 20:17:16 GMT
Content-Length: 0
Content-Type: text/html
在您的 yaws.conf 文件中,<ssl> 块中的 keyfile 参数指的是具有 .key 后缀的文件。根据 Erlang ssl module man page,该文件应改为 PEM 格式(即 .pem 文件)。
ssl 手册页说如果您省略 keyfile 参数,它默认与 certfile 相同,因此您可以尝试从您的 keyfile 中删除yaws.conf 文件看看是否有帮助。- 如果这不起作用,您可能需要将
.key 文件转换为 .pem 文件; this answer 描述了如何操作。
我有雅司病网络服务器。我正在尝试通过本地网络中的 https 进行连接。 当我在 yaws.conf 中为 http 设置我的服务器时,如下所示,当我在浏览器
中通过 http://0.0.0.0:80/myappmod 连接时一切正常<server *:80>
port = 80
listen = 0.0.0.0
docroot = /home/anyuser/anydir/
auth_log = true
appmods = </, myappmod>
</server>
但是下面的配置(使用 ssl)没有:(我通过 https://0.0.0.0:443/myappmod 连接)
<server mydomain.com>
port = 443
docroot = /home/anyuser/anydir/
listen = 0.0.0.0
dir_listings = true
auth_log = true
appmods = </, myappmod>
<ssl>
keyfile = /home/anyuser/private-key.pem
certfile = /home/anyuser/cert_by_ca.pem
depth = 0
</ssl>
</server>
该证书由证书颁发机构正式颁发,一般适用于“mydomain.com”下的其他网络服务器。 私钥格式是这样
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7WBJR0YV9bq4P
...
CAy+LaJpyW/b2vQ+He7t/rg=
-----END PRIVATE KEY-----
而.crt文件是这样的格式:
-----BEGIN CERTIFICATE-----
MIIGgjCCBWqgAwIBAgIIZiCEI/Q/x7gwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
...
1CtNn+5v4lBpgzWS0ZSv5xkeskHjzXnRbjl7jzbkwUdseCZHwXc=
-----END CERTIFICATE-----
当我尝试连接时,我在 Chrome 和 PR_END_OF_FILE_ERROR[=65 中得到 ERR_CONNECTION_RESET =] 在火狐中。 我究竟做错了什么?我在官方 yaws 文档中找不到有关配置的更多信息。有人可以帮忙吗?
编辑:
trace.log 来自 curl -v -k --trace-ascii trace.log https://0.0.0.0:443/ 的输出:
== Info: Trying 0.0.0.0:443...
== Info: Connected to 0.0.0.0 (127.0.0.1) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: TLSv1.0 (OUT), TLS header, Certificate Status (22):
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: .......w.`0V;k.z;7...}1..Y..5.;..WjO.. .4.,30.....L.......3.../.
0040: ..Y.....>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./.....u..................................3t.........h2.http/
00c0: 1.1.........1.....*.(.........................................+.
0100: .......-.....3.&.$... ....d>..xlz#..H.V...|.R.s.k.t..r..........
0140: ................................................................
0180: ................................................................
01c0: ................................................................
== Info: OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt in connection to 0.0.0.0:443
== Info: Closing connection 0
== Info: TLSv1.3 (OUT), TLS alert, decode error (562):
=> Send SSL data, 2 bytes (0x2)
0000: .2
EDIT2: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt 意思是:The connection was reset by the communication partner in English.
解码错误 (562) 是否由于证书文件编码无效?我必须承认,我从 godaddy.com 得到了 2 个文件:一个 .pem 和一个 .crt 文件。他们的内容和我看起来一模一样。内容如上。(我用的是yaws.conf中的.pem文件)。我使用的密钥文件是我从 godaddy.com 上的证书签名请求复制的输出。 (只需从他们的 Web-TextBox 中复制它并将其粘贴到 ubuntu 上的 .txt 文件中)。
编辑 3:
openssl s_client -connect mydomain.com:443(dns 适用于 http//mydomain.de:80)给我:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 310 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
编辑4:
所以我产生了更多的输出。首先我验证,我的证书没问题。因此,我通过以下方式制作了一个 openssl-client 和服务器:
openssl s_server -accept 8443 -cert /etc/mydomain.pem -key /etc/mydomain.key -CAfile /etc/gd_bundle-g2-g1.crt
openssl s_client -connect localhost:8443 -cert /etc/mydomain.pem -key /etc/mydomain.key -CAfile /etc/gd_bundle-g2-g1.crt -verify 8 -verify_hostname mydomain.de
这导致握手成功:
... Certificate and other data I do not want to post and:
SSL handshake has read 5658 bytes and written 373 bytes
Verification: OK
Verified peername: mydomain.de
... more data
然后我使用以下配置文件设置了一个 http 和一个 http 服务器。我进一步保证 .pem 和 .key 文件可以通过使用 chmod +777 的 yaws 访问(我知道这很糟糕,但我只是想确定一下)。然后我启动了 yaws 服务器(具有 root 权限,我知道这也是邪恶的,但直到我弄清楚如何以非 root 身份绑定到特权端口,我才这样做只是为了测试)
logdir = /var/log/yaws
ebin_dir = /usr/local/lib/yaws-appmods/ebin
include_dir = /usr/local/lib/yaws-appmods/include
max_connections = nolimit
keepalive_maxuses = nolimit
process_options = "[]"
acceptor_pool_size = 8
trace = false
use_old_ssl = false
copy_error_log = true
log_wrap_size = 0
log_resolve_hostname = false
fail_on_bind_err = true
pick_first_virthost_on_nomatch = false
keepalive_timeout = 30000
sni = enable
<server mydomain.de>
port = 80
listen = 192.168.178.75
docroot = /home/my_non_root_user/my_appmod/
auth_log = true
appmods = </, my_appmod>
</server>
<server mydomain.de>
port = 443
docroot = /home/my_non_root_user/my_appmod/
listen = 192.168.178.75
dir_listings = true
auth_log = true
appmods = </, my_appmod>
<ssl>
keyfile = /etc/mydomain.key
certfile = /etc/mydomain.pem
depth = 0
</ssl>
</server>
我也尝试提供 ca-bundle,设置更高的深度,并尝试使用其他一些参数,但都没有成功。我遇到了与上述相同的错误。在下面的 yaws 输出中,只能看到 http 正在运行。当我尝试通过 https 连接时,没有产生任何输出。没有工人,等等。总的来说,我对雅司和网络服务器还很陌生。我非常喜欢erlang,只想拥有一个属于我自己的小型网络服务器。没有生产就绪的复杂解决方案。我想我在我的配置文件中做错了什么或者对整个网络服务器概念的了解不完整。
1> =INFO REPORT==== 30-Jan-2022::21:16:55.826108 ===
Yaws: Using config file /etc/yaws/yaws.conf
=ERROR REPORT==== 30-Jan-2022::21:16:55.839289 ===
use_old_ssl in yaws.conf is no longer supported - ignoring
=INFO REPORT==== 30-Jan-2022::21:16:55.904479 ===
yaws debug:Add path "/usr/local/lib/yaws-appmods/ebin"
=INFO REPORT==== 30-Jan-2022::21:16:55.906202 ===
yaws debug:Add path "/usr/lib/yaws/examples/ebin"
=INFO REPORT==== 30-Jan-2022::21:16:55.906272 ===
yaws debug:Running with id="default"
Running with debug checks turned on (slower server)
Logging to directory "/var/log/yaws"
=INFO REPORT==== 30-Jan-2022::21:16:55.911016 ===
Ctlfile : /root/.yaws/yaws/default/CTL
=INFO REPORT==== 30-Jan-2022::21:16:55.911698 ===
sync call startup:start
ENSURE SSL: {ok,[]}
=INFO REPORT==== 30-Jan-2022::21:16:56.045817 ===
Trace directory "/var/log/yaws/trace_20220130_211656" created
=INFO REPORT==== 30-Jan-2022::21:16:56.055200 ===
Yaws: Listening to 192.168.178.75:443 for <1> virtual servers:
- https://mydomain.de under /home/my_non_root_user/my_appmod
=INFO REPORT==== 30-Jan-2022::21:16:56.055388 ===
Yaws: Listening to 192.168.178.75:80 for <1> virtual servers:
- http://mydomain.de under /home/my_non_root_user/my_appmod
Worker: <0.194.0>
[2022-01-30 21:17:15.987] ===== CLI -> SRV =====
New (nossl) connection from 80.*.*.*:57260 // * are manually hidden numbers for Whosebug post
Worker: <0.200.0>
[2022-01-30 21:17:15.987] ===== CLI -> SRV =====
New (nossl) connection from 80.*.*.*:57262 // here too
Worker: <0.200.0>
[2022-01-30 21:17:15.994] ===== CLI -> SRV =====
GET / HTTP/1.1
Connection: keep-alive
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/avif, image/webp, image/apng, */*;q=0.8, application/signed-exchange;v=b3;q=0.9
Host: mydomain.de
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Cookie: pvisitor=cc2529f0-abf8-4e78-80d2-85908b25f227
Accept-Language: en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Worker: <0.200.0>
[2022-01-30 21:17:15.996] ===== SRV -> CLI =====
HTTP/1.1 200 OK
Server: Yaws 2.1.0
Date: Sun, 30 Jan 2022 20:17:15 GMT
Content-Length: 46
Content-Type: text/html
Worker: <0.200.0>
[2022-01-30 21:17:16.203] ===== CLI -> SRV =====
Connection: keep-alive
Accept: image/avif, image/webp, image/apng, image/svg+xml, image/*, */*;q=0.8
Host: mydomain.de
Referer: http://mydomain.de/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Cookie: pvisitor=cc2529f0-abf8-4e78-80d2-85908b25f227
Accept-Language: en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7
Accept-Encoding: gzip, deflate
Worker: <0.200.0>
[2022-01-30 21:17:16.203] ===== SRV -> CLI =====
HTTP/1.1 405 Method Not Allowed
Server: Yaws 2.1.0
Date: Sun, 30 Jan 2022 20:17:16 GMT
Content-Length: 0
Content-Type: text/html
在您的 yaws.conf 文件中,<ssl> 块中的 keyfile 参数指的是具有 .key 后缀的文件。根据 Erlang ssl module man page,该文件应改为 PEM 格式(即 .pem 文件)。
ssl手册页说如果您省略keyfile参数,它默认与certfile相同,因此您可以尝试从您的keyfile中删除yaws.conf文件看看是否有帮助。- 如果这不起作用,您可能需要将
.key文件转换为.pem文件; this answer 描述了如何操作。