Nginx
儘管埠 443 已打開,但無法訪問 https
這是我第一次設置伺服器,我剛剛安裝了 SSL 證書。我還對 iptable 進行了一些更改以允許訪問 443。下面是iptables -L的輸出
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT udp -- anywhere anywhere state NEW udp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:urd REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
我還通過 ssh 進入伺服器並從伺服器本身執行 nmap 來檢查 nmap。
Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-15 15:31 SGT Nmap scan report for <my.domain.ip> Host is up (0.0000050s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 3005/tcp open deslogin 3031/tcp open epic
當我嘗試 telnet
$$ my.domain.ip $$443 遠端
Trying <my.domain.ip>... telnet: connect to address <my.domain.ip>: Connection refused telnet: Unable to connect to remote host
最後,我不知道 nginx.conf 是否起作用,但下面是域 ssl 的程式碼片段
#include /etc/nginx/conf.d/*.conf; server { listen <my.domain.ip>:80; server_name mydomain.com www.mydomain.com; index index.html index.htm index.py; access_log /var/log/nginx/mydomain.com.log; error_log /var/log/nginx/mydomain.log.error; root /home/fr/; charset utf-8; #error_page 500 502 503 504 /custom_50x.html; #location = /custom_50x.html { # internal; #} location / { uwsgi_pass <my.domain.ip>:3031; include uwsgi_params; } location /static { root /home/fr/env/FRuler/fruler/; } } ### for ssl ### server { listen <my.domain.ip>:80; server_name mydomain.com www.mydomain.com; index index.html index.htm index.py; access_log /var/log/nginx/mydomain.com.log; error_log /var/log/nginx/mydomain.log.error; root /home/fr/; charset utf-8; location / { uwsgi_pass <my.domain.ip>:3031; include uwsgi_params; } location /static { root /home/fr/env/FRuler/fruler/; } } server { listen 443 ssl; server_name mydomain.com www.mydomain.com; ssl on; ssl_certificate /etc/ssl/mydomain/ssl.crt; ssl_certificate_key /etc/ssl/mydomain/server.key; server_name mydomain www.mydomain.com; access_log /var/log/nginx/mydomain.com.log; error_log /var/log/nginx/mydomain.log.error; location / { root /home/fr/; index index.html; } } ### end of ssl ###
任何幫助表示讚賞。
iptables 中的順序很重要,規則是按順序遍歷的。
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
拒絕所有內容後,將永遠無法達到為 HTTPS 打開埠 443 的後續規則,並且沒有任何效果。您的一般拒絕規則應該放在最後。