Ssl
Ubuntu Apache-Cant 使 SSL (https) 工作(超時無響應)
為新主機重新加密 SSL 使用相同的 site.conf 文件只是新的 *.crt(已驗證指向正確) apache 重新啟動無錯誤錯誤日誌顯示無錯誤(超時)埠 443 已打開
netstat -a | grep https tcp6 0 0 [::]:https [::]:* LISTEN netstat -lnp|grep 443 tcp6 0 0 :::443 :::* LISTEN 1644/apache2 ps waux |grep 1644 root 1644 0.0 0.4 418960 35564 ? Ss 23:32 0:00 /usr/sbin/apache2 -k start
並在編輯我的 ports.conf 文件以顯示 IPv4 之後:
<IfModule ssl_module> Listen my.server.ip.add:443 </IfModule> <IfModule mod_gnutls.c> Listen my.server.ip.add:443 </IfModule>
netstat -lnp | grep 443
tcp 0 0 my.server.ip.add:443 0.0.0.0:* LISTEN 24821/apache2
ps waux |grep 24821
root 24821 0.0 0.4 418960 35896 ? Ss 18:50 0:00 /usr/sbin/apache2 -k start
nmap 範例 ip
Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-19 16:49 EDT Nmap scan report for example.exampleserver.com (example ip) Host is up (0.000032s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https
這是我的文件
<IfModule mod_ssl.c> <VirtualHost my.ip:443> ServerAdmin webmaster@example.com ServerName example.com ServerAlias www.example.com DirectoryIndex index.html DocumentRoot /path/to/my/site ErrorLog /var/log/apache2/example.log CustomLog /var/log/apache2/example-access.log combined SSLEngine on SSLCertificateFile /path/to/ssl/example.crt SSLCertificateKeyFile /path/to/ssl/examaple.com.key SSLCertificateChainFile /path/to/ssl/gd_bundle-g2-g1.crt <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown <Directory /path/to/my/site> Options Indexes FollowSymLinks AllowOverride All Require all granted AddDefaultCharset On AddDefaultCharset utf-8 <Files *.html> ForceType text/html;charset=utf-8 </Files> </Directory> </VirtualHost> </IfModule>
這是我啟用的模組
ls /etc/apache2/mods-e* access_compat.load authn_core.load authz_user.load deflate.load expires.load mime.load negotiation.load setenvif.conf ssl.load alias.conf authn_file.load autoindex.conf dir.conf filter.load mpm_prefork.conf php7.0.conf setenvif.load status.conf alias.load authz_core.load autoindex.load dir.load headers.load mpm_prefork.load php7.0.load socache_shmcb.load status.load auth_basic.load authz_host.load deflate.conf env.load mime.conf negotiation.conf rewrite.load ssl.conf
證書文件的權限是 -rw-rw-r– –
nslookup example.com Server: 2001:578:3f::30 Address: 2001:578:3f::30#53 Non-authoritative answer: Name: example.com Address: my.v4.ip.add
編輯了我的 /etc/host 文件 nslookup 現在顯示 IPv4
nslookup example.com Server: some.v4..add Address: some.v4..add#53 Non-authoritative answer: Name: example.com Address: my.v4.ip.add
iptables -n -L
Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ufw-skip-to-policy-input udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 ufw-skip-to-policy-input all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination
重新啟動 Apache2 服務時的日誌文件
[Sun Aug 20 18:50:55.777189 2017] [core:notice] [pid 1644] AH00051: child pid 23072 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [Sun Aug 20 18:50:55.777276 2017] [mpm_prefork:notice] [pid 1644] AH00169: caught SIGTERM, shutting down [Sun Aug 20 18:50:56.802691 2017] [mpm_prefork:notice] [pid 24821] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations [Sun Aug 20 18:50:56.802777 2017] [core:notice] [pid 24821] AH00094: Command line: '/usr/sbin/apache2'
由於我創建了一個 nonSSL.conf 文件並指向相同的位置,因此在 http 上沒有 https 的站點仍然可以正常載入
你有防火牆問題。請輸入
ufw allow proto tcp port 443
並提供良好的 https 服務。此外,如果您想為 IPV4 和 IPV6 允許埠 443 proto tcp ,請檢查您是否已IPV6=yes
進入。/etc/default/ufw
netstat
命令顯示 apache 只監聽 IPv6 地址,而不是 IPv4。這就是你有連接錯誤的原因。檢查httpd
配置文件以啟用 IPv4。