Nginx

Nginx 沒有從遠端框外響應

  • March 6, 2020

我的網站(Django/nginx/gunicorn/mysql)託管在遠端機器上,執行良好,直到我出於某種原因決定重新啟動遠端機器。所以重新啟動後,在遠端框中我說它curl -IL -H -GET my.web.address工作正常。但是,當我從外部嘗試相同的命令時,它會報告curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address.

任何幫助表示讚賞。請在下面找到我檢查過的相關內容。

我使用的是 CentOS 7 系統。我主要使用本教程

nginx 正在監聽正確的埠

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3425/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3425/nginx: master

防火牆(見 ufw 結果)允許我的埠

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (SSH)               ALLOW IN    Anywhere                  
224.0.0.251 5353/udp (mDNS) ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
22/tcp (SSH (v6))          ALLOW IN    Anywhere (v6)             
ff02::fb 5353/udp (mDNS)   ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)

狀態

SELinux status: disabled

nmap檢查埠狀態的輸出

nmap -sT my.ip.address

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
3306/tcp open  mysql

的內容nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
   worker_connections  1024;
}


http {
   include       /etc/nginx/mime.types;
   default_type  application/octet-stream;

   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile        on;
   #tcp_nopush     on;

   keepalive_timeout  65;

   #gzip  on;

   include /etc/nginx/conf.d/*.conf;
}

我的伺服器塊nginx.conf

server {
   server_name my.ip.address my.web.address;
   error_log /srv/www/myweb/logs/error.log;
   access_log /srv/www/myweb/logs/access.log;
   charset utf-8;

   location /static/{
       alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/;
   }

   location /{
       proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock;
   }


   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
   if ($host = my.ip.address) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   if ($host = my.web.address) {
       return 301 https://$host$request_uri;
   } # managed by Certbot

     listen 80;
     server_name my.ip.address my.web.address;
   return 404; # managed by Certbot

}

我檢查了我的 sock 文件權限,它們由各自的使用者正確啟動。文件權限設置正確。

gunicorn.service文件內容

[Unit]
Description=gunicorn daemon
After=network.target

[Service]
User=user
Group=nginx
WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src
ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application

[Install]
WantedBy=multi-user.target

同時,為了確保我的問題與 Lets 加密伺服器證書無關,我對我的問題進行了更改nginx.conf以僅使用 HTTP。

以下是curl -IL -GET my.domain.name我在遠端機器上執行它時的輸出:

HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Fri, 06 Mar 2020 08:26:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7918
Connection: keep-alive
X-Frame-Options: SAMEORIGIN

在使用 IP 地址執行時,我得到與上面相同的輸出。

當我從筆記型電腦執行 curl 時,我得到了curl: (52) Empty reply from server包含域名和 IP 地址的響應。

我從筆記型電腦 ping 伺服器(都使用 IP 和域名),它們發送/接收數據包。域名與IP正確映射。我還使用驗證了它nslookup

由於我禁用了 HTTPS,TLS 版本並不重要,不是嗎?

此外,我使用 ufw 禁用了防火牆。的,我查了iptables -L規則。我是這個領域的新手,但對我來說,遠端伺服器的結果似乎旨在接受任何傳入的連接。

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

所以問題解決了!

問題是,不知何故,UFW 規則沒有更新 iptables 條目以允許埠 80/443。

我使用以下命令手動修改了它。

iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT

引用自:https://serverfault.com/questions/1005717