Nginx
IPv6 無法在帶有 nftables/nginx 的 Debian 11 上執行
我正在使用 nftables 0.9.8 的 Debian 11 系統上執行網路伺服器(nginx 1.21.6)。我的 nftables 配置是:
table inet filter { chain input { type filter hook input priority filter; policy drop; ip saddr @spamhaus4 counter packets 0 bytes 0 drop ip6 saddr @spamhaus6 counter packets 0 bytes 0 drop meta l4proto tcp meta nfproto ipv4 ip saddr @abused counter packets 0 bytes 0 drop ip daddr 46.38.148.0-46.38.151.255 drop iif "lo" log group 2 accept iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback" iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback" ct state established,related log group 2 accept ct state invalid counter packets 47 bytes 2572 drop tcp dport { 25, 80, 143, 443, 587, 2772, 9980, 45907 } log group 2 accept ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } log group 2 accept ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } log group 2 accept ip6 nexthdr ipv6-icmp log group 2 accept counter packets 2686 bytes 421604 drop } chain IPSinput { type filter hook input priority filter + 10; policy drop; counter packets 88448 bytes 15799025 queue num 0-3 bypass,fanout } chain forward { type filter hook forward priority filter; policy drop; } chain output { type filter hook output priority filter; policy accept; } chain IPSoutput { type filter hook output priority filter + 10; policy drop; counter packets 76196 bytes 201278628 queue num 0-3 bypass,fanout } }
nftables 防火牆工作正常。
但是,我的 nginx 伺服器無法通過 IPv6 訪問。我使用了不同的 IPv6 檢查工具(例如https://ipv6-test.com/validate.php)並且Qualys ssltest無法通過 IPv6 訪問伺服器,但是 IPv4 工作正常。我在每個 nginx 伺服器中都包含了
listen [::]:80;
(resp.指令。並給出了listen [::]:443;``netstat -anlp |grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 48846/nginx: master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 48846/nginx: master tcp 0 0 192.168.42.98:443 93.104.163.178:39001 VERBUNDEN 48847/nginx: worker tcp 0 0 192.168.42.98:443 93.104.163.178:39368 VERBUNDEN 48847/nginx: worker tcp 0 0 192.168.42.98:443 93.104.163.178:43086 VERBUNDEN 48847/nginx: worker tcp6 0 0 :::80 :::* LISTEN 48846/nginx: master tcp6 0 0 :::443 :::* LISTEN 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160451 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160453 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160450 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160448 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160452 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160446 48846/nginx: master unix 3 [ ] STREAM VERBUNDEN 160449 48846/nginx: master
在我的路由器上,我也啟動了 IPv6。
有誰知道問題出在哪裡?
感謝@Zoredache 對我的問題的評論,我試圖ping 主機的IPv6 地址。它只在我的家庭網路中工作。當我嘗試通過subnetOnline或其他站點 ping 它時,它不起作用。
然後我在 unix.stackoverflow.com 中找到了這個答案:https ://unix.stackexchange.com/a/443380/520989 。我編輯了
/etc/dhcpcd.conf
文件並替換slaac private
為slaac hwaddr
. 讓我的路由器(Fritzbox 7583)忘記以前的配置並重新啟動我的伺服器,確實解決了我的問題!我的伺服器現在可以通過 IPv6(也是 nginx)完全訪問!