Nginx

IPv6 無法在帶有 nftables/nginx 的 Debian 11 上執行

  • April 4, 2022

我正在使用 nftables 0.9.8 的 Debian 11 系統上執行網路伺服器(nginx 1.21.6)。我的 nftables 配置是:

table inet filter {
chain input {
 type filter hook input priority filter; policy drop;
           ip saddr @spamhaus4 counter packets 0 bytes 0 drop
           ip6 saddr @spamhaus6 counter packets 0 bytes 0 drop
           meta l4proto tcp meta nfproto ipv4 ip saddr @abused counter packets 0 bytes 0 drop
           ip daddr 46.38.148.0-46.38.151.255 drop
           iif "lo" log group 2 accept
           iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
           iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
           ct state established,related log group 2 accept
           ct state invalid counter packets 47 bytes 2572 drop
           tcp dport { 25, 80, 143, 443, 587, 2772, 9980, 45907 } log group 2 accept
           ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } log group 2 accept
           ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } log group 2 accept
           ip6 nexthdr ipv6-icmp log group 2 accept
           counter packets 2686 bytes 421604 drop
   }

   chain IPSinput {
           type filter hook input priority filter + 10; policy drop;
           counter packets 88448 bytes 15799025 queue num 0-3 bypass,fanout
   }

   chain forward {
           type filter hook forward priority filter; policy drop;
   }

   chain output {
           type filter hook output priority filter; policy accept;
   }

   chain IPSoutput {
           type filter hook output priority filter + 10; policy drop;
           counter packets 76196 bytes 201278628 queue num 0-3 bypass,fanout
   }
  }

nftables 防火牆工作正常。

但是,我的 nginx 伺服器無法通過 IPv6 訪問。我使用了不同的 IPv6 檢查工具(例如https://ipv6-test.com/validate.php)並且Qualys ssltest無法通過 IPv6 訪問伺服器,但是 IPv4 工作正常。我在每個 nginx 伺服器中都包含了listen [::]:80;(resp.指令。並給出了listen [::]:443;``netstat -anlp |grep nginx

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 192.168.42.98:443       93.104.163.178:39001    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:39368    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:43086    VERBUNDEN   48847/nginx: worker
tcp6       0      0 :::80                   :::*                    LISTEN      48846/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160451   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160453   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160450   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160448   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160452   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160446   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160449   48846/nginx: master

在我的路由器上,我也啟動了 IPv6。

有誰知道問題出在哪裡?

感謝@Zoredache 對我的問題的評論,我試圖ping 主機的IPv6 地址。它只在我的家庭網路中工作。當我嘗試通過subnetOnline或其他站點 ping 它時,它不起作用。

然後我在 unix.stackoverflow.com 中找到了這個答案:https ://unix.stackexchange.com/a/443380/520989 。我編輯了/etc/dhcpcd.conf文件並替換slaac privateslaac hwaddr. 讓我的路由器(Fritzbox 7583)忘記以前的配置並重新啟動我的伺服器,確實解決了我的問題!我的伺服器現在可以通過 IPv6(也是 nginx)完全訪問!

引用自:https://serverfault.com/questions/1097728