Nginx 沒有從遠端框外響應
我的網站(Django/nginx/gunicorn/mysql)託管在遠端機器上,執行良好,直到我出於某種原因決定重新啟動遠端機器。所以重新啟動後,在遠端框中我說它
curl -IL -H -GET my.web.address
工作正常。但是,當我從外部嘗試相同的命令時,它會報告curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address
.任何幫助表示讚賞。請在下面找到我檢查過的相關內容。
我使用的是 CentOS 7 系統。我主要使用本教程
nginx 正在監聽正確的埠
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3425/nginx: master tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3425/nginx: master
防火牆(見 ufw 結果)允許我的埠
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp (SSH) ALLOW IN Anywhere 224.0.0.251 5353/udp (mDNS) ALLOW IN Anywhere 22 ALLOW IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere 22/tcp (SSH (v6)) ALLOW IN Anywhere (v6) ff02::fb 5353/udp (mDNS) ALLOW IN Anywhere (v6) 22 (v6) ALLOW IN Anywhere (v6) 80 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6)
狀態
SELinux status: disabled
nmap
檢查埠狀態的輸出nmap -sT my.ip.address PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 3306/tcp open mysql
的內容
nginx.conf
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; }
我的伺服器塊
nginx.conf
server { server_name my.ip.address my.web.address; error_log /srv/www/myweb/logs/error.log; access_log /srv/www/myweb/logs/access.log; charset utf-8; location /static/{ alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/; } location /{ proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = my.ip.address) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = my.web.address) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name my.ip.address my.web.address; return 404; # managed by Certbot }
我檢查了我的 sock 文件權限,它們由各自的使用者正確啟動。文件權限設置正確。
gunicorn.service
文件內容[Unit] Description=gunicorn daemon After=network.target [Service] User=user Group=nginx WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application [Install] WantedBy=multi-user.target
同時,為了確保我的問題與 Lets 加密伺服器證書無關,我對我的問題進行了更改
nginx.conf
以僅使用 HTTP。以下是
curl -IL -GET my.domain.name
我在遠端機器上執行它時的輸出:HTTP/1.1 200 OK Server: nginx/1.17.9 Date: Fri, 06 Mar 2020 08:26:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 7918 Connection: keep-alive X-Frame-Options: SAMEORIGIN
在使用 IP 地址執行時,我得到與上面相同的輸出。
當我從筆記型電腦執行 curl 時,我得到了
curl: (52) Empty reply from server
包含域名和 IP 地址的響應。我從筆記型電腦 ping 伺服器(都使用 IP 和域名),它們發送/接收數據包。域名與IP正確映射。我還使用驗證了它
nslookup
由於我禁用了 HTTPS,TLS 版本並不重要,不是嗎?
此外,我使用 ufw 禁用了防火牆。的,我查了
iptables -L
規則。我是這個領域的新手,但對我來說,遠端伺服器的結果似乎旨在接受任何傳入的連接。Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
所以問題解決了!
問題是,不知何故,UFW 規則沒有更新 iptables 條目以允許埠 80/443。
我使用以下命令手動修改了它。
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT