Nginx

儘管埠 443 已打開,但無法訪問 https

  • April 16, 2016

這是我第一次設置伺服器,我剛剛安裝了 SSL 證書。我還對 iptable 進行了一些更改以允許訪問 443。下面是iptables -L的輸出

target     prot opt source         destination
ACCEPT     all  --  anywhere       anywhere        state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:http
ACCEPT     icmp --  anywhere       anywhere
ACCEPT     all  --  anywhere       anywhere
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:smtp
ACCEPT     udp  --  anywhere       anywhere        state NEW udp dpt:smtp
ACCEPT     tcp  --  anywhere       anywhere        tcp dpt:urd
REJECT     all  --  anywhere       anywhere        reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:https

我還通過 ssh 進入伺服器並從伺服器本身執行 nmap 來檢查 nmap。

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-15 15:31 SGT
Nmap scan report for <my.domain.ip>
Host is up (0.0000050s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
3005/tcp open  deslogin
3031/tcp open  epic

當我嘗試 telnet

$$ my.domain.ip $$443 遠端

Trying <my.domain.ip>...
telnet: connect to address <my.domain.ip>: Connection refused
telnet: Unable to connect to remote host

最後,我不知道 nginx.conf 是否起作用,但下面是域 ssl 的程式碼片段

#include /etc/nginx/conf.d/*.conf;

server {
   listen          <my.domain.ip>:80;
   server_name     mydomain.com www.mydomain.com;
   index           index.html index.htm index.py;
   access_log      /var/log/nginx/mydomain.com.log;
   error_log       /var/log/nginx/mydomain.log.error;
   root            /home/fr/;
   charset         utf-8;

   #error_page 500 502 503 504 /custom_50x.html;
   #location = /custom_50x.html {
   #        internal;
   #}

   location / {
       uwsgi_pass  <my.domain.ip>:3031;
       include     uwsgi_params;
   }

   location /static {
       root        /home/fr/env/FRuler/fruler/;
   }
}

### for ssl  ###
server {
   listen          <my.domain.ip>:80;
   server_name     mydomain.com www.mydomain.com;
   index           index.html index.htm index.py;
   access_log      /var/log/nginx/mydomain.com.log;
   error_log       /var/log/nginx/mydomain.log.error;
   root            /home/fr/;
   charset         utf-8;


   location / {
       uwsgi_pass  <my.domain.ip>:3031;
       include     uwsgi_params;
   }

   location /static {
       root        /home/fr/env/FRuler/fruler/;
   }
}

server {
   listen 443 ssl;
   server_name     mydomain.com www.mydomain.com;
   ssl on;
   ssl_certificate /etc/ssl/mydomain/ssl.crt;
   ssl_certificate_key /etc/ssl/mydomain/server.key;
   server_name mydomain www.mydomain.com;
   access_log  /var/log/nginx/mydomain.com.log;
   error_log   /var/log/nginx/mydomain.log.error;
   location / {
       root /home/fr/;
       index index.html;
   }
}
### end of ssl ###

任何幫助表示讚賞。

iptables 中的順序很重要,規則是按順序遍歷的。

REJECT     all  --  anywhere       anywhere        reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:https

拒絕所有內容後,將永遠無法達到為 HTTPS 打開埠 443 的後續規則,並且沒有任何效果。您的一般拒絕規則應該放在最後。

引用自:https://serverfault.com/questions/770525