NGINX SSL 不響應 IPv6
在帶有 nginx 的 Debian 伺服器上,我沒有收到來自 HTTPS 和 IPv6 的 Web 伺服器的響應。HTTP 工作正常。
- netstat 報告埠 443 正在偵聽 IPv6 地址
- 防火牆已打開,ipv6scanner.com 報告埠 443 已打開
- 本地(通過終端) wget 和 curl 收到正確的響應,因此 nginx 配置正常
- 沒有來自 nginx error.log 的錯誤跡象
- 失敗時 access.log 中沒有記錄,因此通信可能未到達 Web 伺服器
- DNS 沒問題。翻譯有效,直接訪問IP地址也無法連接
每次從“外部”(即網路外部,從網際網路)連接的嘗試都會失敗(網路瀏覽器、telnet、ipv6-test.com、curl …)。根本沒有回應。
它可以在 www.ekasparova.eu 上進行測試。我一無所知。我還能檢查什麼?
編輯:
的輸出
traceroute6 --mtu www.google.com
如下:traceroute to www.google.com (2a00:1450:4014:800::2004), 30 hops max, 65000 byte packets 1 * F=1500 * * 2 * * * ~ 30 * * *
所以它永遠不會到達終點…
編輯2:
我的 ip6tables-save 輸出(本地防火牆):
# Generated by ip6tables-save v1.6.0 on Wed Oct 17 06:25:40 2018 *filter :INPUT DROP [32:9320] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :ufw6-after-forward - [0:0] :ufw6-after-input - [0:0] :ufw6-after-logging-forward - [0:0] :ufw6-after-logging-input - [0:0] :ufw6-after-logging-output - [0:0] :ufw6-after-output - [0:0] :ufw6-before-forward - [0:0] :ufw6-before-input - [0:0] :ufw6-before-logging-forward - [0:0] :ufw6-before-logging-input - [0:0] :ufw6-before-logging-output - [0:0] :ufw6-before-output - [0:0] :ufw6-logging-allow - [0:0] :ufw6-logging-deny - [0:0] :ufw6-reject-forward - [0:0] :ufw6-reject-input - [0:0] :ufw6-reject-output - [0:0] :ufw6-skip-to-policy-forward - [0:0] :ufw6-skip-to-policy-input - [0:0] :ufw6-skip-to-policy-output - [0:0] :ufw6-track-forward - [0:0] :ufw6-track-input - [0:0] :ufw6-track-output - [0:0] :ufw6-user-forward - [0:0] :ufw6-user-input - [0:0] :ufw6-user-limit - [0:0] :ufw6-user-limit-accept - [0:0] :ufw6-user-logging-forward - [0:0] :ufw6-user-logging-input - [0:0] :ufw6-user-logging-output - [0:0] :ufw6-user-output - [0:0] -A INPUT -j ufw6-before-logging-input -A INPUT -j ufw6-before-input -A INPUT -j ufw6-after-input -A INPUT -j ufw6-after-logging-input -A INPUT -j ufw6-reject-input -A INPUT -j ufw6-track-input -A INPUT -j LOG --log-prefix "[IPTABLES] " --log-tcp-options -A INPUT -j LOG --log-prefix "[IPTABLES] " --log-tcp-options -A FORWARD -j ufw6-before-logging-forward -A FORWARD -j ufw6-before-forward -A FORWARD -j ufw6-after-forward -A FORWARD -j ufw6-after-logging-forward -A FORWARD -j ufw6-reject-forward -A FORWARD -j ufw6-track-forward -A FORWARD -j LOG --log-prefix "[IPTABLES] " --log-tcp-options -A FORWARD -j LOG --log-prefix "[IPTABLES] " --log-tcp-options -A OUTPUT -j ufw6-before-logging-output -A OUTPUT -j ufw6-before-output -A OUTPUT -j ufw6-after-output -A OUTPUT -j ufw6-after-logging-output -A OUTPUT -j ufw6-reject-output -A OUTPUT -j ufw6-track-output -A ufw6-after-input -p udp -m udp --dport 137 -j ufw6-skip-to-policy-input -A ufw6-after-input -p udp -m udp --dport 138 -j ufw6-skip-to-policy-input -A ufw6-after-input -p tcp -m tcp --dport 139 -j ufw6-skip-to-policy-input -A ufw6-after-input -p tcp -m tcp --dport 445 -j ufw6-skip-to-policy-input -A ufw6-after-input -p udp -m udp --dport 546 -j ufw6-skip-to-policy-input -A ufw6-after-input -p udp -m udp --dport 547 -j ufw6-skip-to-policy-input -A ufw6-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw6-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw6-before-forward -m rt --rt-type 0 -j DROP -A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A ufw6-before-forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT -A ufw6-before-forward -j ufw6-user-forward -A ufw6-before-input -i lo -j ACCEPT -A ufw6-before-input -m rt --rt-type 0 -j DROP -A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny -A ufw6-before-input -m conntrack --ctstate INVALID -j DROP -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT -A ufw6-before-input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j ACCEPT -A ufw6-before-input -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j ACCEPT -A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT -A ufw6-before-input -d ff02::fb/128 -p udp -m udp --dport 5353 -j ACCEPT -A ufw6-before-input -d ff02::f/128 -p udp -m udp --dport 1900 -j ACCEPT -A ufw6-before-input -j ufw6-user-input -A ufw6-before-output -o lo -j ACCEPT -A ufw6-before-output -m rt --rt-type 0 -j DROP -A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m hl --hl-eq 1 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m hl --hl-eq 1 -j ACCEPT -A ufw6-before-output -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m hl --hl-eq 1 -j ACCEPT -A ufw6-before-output -j ufw6-user-output -A ufw6-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw6-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN -A ufw6-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw6-skip-to-policy-forward -j DROP -A ufw6-skip-to-policy-input -j DROP -A ufw6-skip-to-policy-output -j ACCEPT -A ufw6-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT -A ufw6-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 20 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 21 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 25 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 53 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 80 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 110 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 143 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 587 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 993 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 995 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 8080 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 8081 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 10000 -j ACCEPT -A ufw6-user-input -p udp -m udp --dport 53 -j ACCEPT -A ufw6-user-input -p tcp -m multiport --dports 29799:29899 -j ACCEPT -A ufw6-user-input -p udp -m udp --dport 25 -j ACCEPT -A ufw6-user-input -p tcp -m tcp --dport 8082 -j ACCEPT -A ufw6-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw6-user-limit -j REJECT --reject-with icmp6-port-unreachable -A ufw6-user-limit-accept -j ACCEPT COMMIT # Completed on Wed Oct 17 06:25:40 2018
編輯3:
感謝大家的幫助,我能夠讓數據中心運營商相信問題出在他們的基礎設施上。問題確實出在通往 Internet 的虛擬路由器上的 MTU 設置中。
你有一個 MTU 問題。
我
wget -O /dev/null https://www.ekasparova.eu
在觀察流量的同時進行了測試tcpdump
。這是我看到的:19:56:57.048361 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [S], seq 262121609, win 28800, options [mss 1440,sackOK,TS val 298423713 ecr 0,nop,wscale 7], length 0 19:56:57.087457 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [S.], seq 2396216876, ack 262121610, win 28560, options [mss 1440,sackOK,TS val 82836580 ecr 298423713,nop,wscale 7], length 0 19:56:57.087490 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 0 19:56:57.087692 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [P.], seq 1:322, ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 321 19:56:57.126190 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [.], ack 322, win 232, options [nop,nop,TS val 82836590 ecr 298423723], length 0 19:56:57.141224 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [P.], seq 2857:3678, ack 322, win 232, options [nop,nop,TS val 82836594 ecr 298423723], length 821 19:56:57.141301 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 248, options [nop,nop,TS val 298423736 ecr 82836590,nop,nop,sack 1 {2857:3678}], length 0
前 3 個數據包是握手。兩端都宣布
mss 1440
這意味著它們能夠接收具有 1440 字節 TCP 有效負載的數據包,計算標頭以及總計為 1500 字節的 IP 流量,這是乙太網通常支持的。接下來的 2 個數據包是客戶端 hello 並確認它已被伺服器接收。
最後 2 個數據包是有趣的地方。預設情況下
tcpdump
顯示相對序列號,在這種情況下使擷取更易於閱讀。在來自伺服器的數據包中,這是有趣的部分seq 2857:3678
。1
我們看到從到的跳轉,2857
這意味著客戶端尚未收到 2856 字節的間隙。2856 字節對應兩個 1428 字節的數據包。1440 和 1428 之間的區別在於時間戳選項的大小。因此,伺服器將伺服器問候發送到 3 個數據包中。但是前兩個對於網路來說太大了,沒有傳遞給客戶端。
在從客戶端到伺服器的最終數據包中,我們看到了這一點
sack 1 {2857:3678}
。這是客戶端發送的選擇性確認,通知伺服器到目前為止它收到的數據存在間隙。伺服器可能會一遍又一遍地發送兩個失去的數據包。但是無論它重新傳輸相同的兩個數據包多少次,它們對於網路來說仍然太大。並且可能路徑上的路由器會向伺服器發送一條錯誤消息,通知它數據包太大,需要以較小的數據包重新傳輸。
如果伺服器收到這些錯誤消息,它將根據需要重新傳輸更小的數據包。並且它會記住較小的 PMTU,這樣在隨後的請求中它就不必重複這個發現步驟。
所有這一切的一個可能的解釋是您有一個錯誤配置的防火牆,它丟棄了所有錯誤消息,通知您的伺服器它需要以較小的數據包重新傳輸數據。