Ssl

Ubuntu Apache-Cant 使 SSL (https) 工作(超時無響應)

  • August 21, 2017

為新主機重新加密 SSL 使用相同的 site.conf 文件只是新的 *.crt(已驗證指向正確) apache 重新啟動無錯誤錯誤日誌顯示無錯誤(超時)埠 443 已打開

netstat -a | grep https
tcp6       0      0 [::]:https              [::]:*                  LISTEN   

netstat -lnp|grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      1644/apache2

ps waux |grep 1644
root      1644  0.0  0.4 418960 35564 ?        Ss   23:32   0:00 /usr/sbin/apache2 -k start

並在編輯我的 ports.conf 文件以顯示 IPv4 之後:

<IfModule ssl_module>
       Listen my.server.ip.add:443
</IfModule>

<IfModule mod_gnutls.c>
       Listen my.server.ip.add:443
</IfModule>

netstat -lnp | grep 443

tcp        0      0 my.server.ip.add:443      0.0.0.0:*               LISTEN      24821/apache2 

ps waux |grep 24821

root     24821  0.0  0.4 418960 35896 ?        Ss   18:50   0:00 /usr/sbin/apache2 -k start

nmap 範例 ip

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-19 16:49 EDT
   Nmap scan report for example.exampleserver.com (example ip)
   Host is up (0.000032s latency).
   Not shown: 996 closed ports
   PORT    STATE SERVICE
   22/tcp  open  ssh
   25/tcp  open  smtp
   80/tcp  open  http
   443/tcp open  https

這是我的文件

<IfModule mod_ssl.c>
<VirtualHost my.ip:443>
      ServerAdmin webmaster@example.com
       ServerName example.com
       ServerAlias www.example.com
       DirectoryIndex index.html
       DocumentRoot /path/to/my/site
       ErrorLog /var/log/apache2/example.log
       CustomLog /var/log/apache2/example-access.log combined


SSLEngine on
       SSLCertificateFile /path/to/ssl/example.crt
       SSLCertificateKeyFile /path/to/ssl/examaple.com.key
       SSLCertificateChainFile /path/to/ssl/gd_bundle-g2-g1.crt

<FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
       </FilesMatch>
       <Directory /usr/lib/cgi-bin>
                       SSLOptions +StdEnvVars
       </Directory>
       BrowserMatch "MSIE [2-6]" \
                       nokeepalive ssl-unclean-shutdown \
                       downgrade-1.0 force-response-1.0
       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

<Directory /path/to/my/site>
        Options Indexes FollowSymLinks

        AllowOverride All
        Require all granted
       AddDefaultCharset On
       AddDefaultCharset utf-8

<Files *.html>
ForceType text/html;charset=utf-8
</Files>
</Directory>
</VirtualHost>
</IfModule>

這是我啟用的模組

   ls /etc/apache2/mods-e*
access_compat.load  authn_core.load  authz_user.load  deflate.load  expires.load  mime.load         negotiation.load  setenvif.conf       ssl.load
alias.conf          authn_file.load  autoindex.conf   dir.conf      filter.load   mpm_prefork.conf  php7.0.conf       setenvif.load       status.conf
alias.load          authz_core.load  autoindex.load   dir.load      headers.load  mpm_prefork.load  php7.0.load       socache_shmcb.load  status.load
auth_basic.load     authz_host.load  deflate.conf     env.load      mime.conf     negotiation.conf  rewrite.load      ssl.conf

證書文件的權限是 -rw-rw-r– –

nslookup example.com
Server:     2001:578:3f::30
Address:    2001:578:3f::30#53

Non-authoritative answer:
Name:   example.com
Address: my.v4.ip.add

編輯了我的 /etc/host 文件 nslookup 現在顯示 IPv4

nslookup example.com
   Server:     some.v4..add
   Address:    some.v4..add#53

   Non-authoritative answer:
   Name:   example.com
   Address: my.v4.ip.add

iptables -n -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:137
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:138
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139
ufw-skip-to-policy-input  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ufw-skip-to-policy-input  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ufw-skip-to-policy-input  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ufw-user-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
ufw-not-local  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            239.255.255.250      udp dpt:1900
ufw-user-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:80

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination 

重新啟動 Apache2 服務時的日誌文件

[Sun Aug 20 18:50:55.777189 2017] [core:notice] [pid 1644] AH00051: child pid 23072 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Sun Aug 20 18:50:55.777276 2017] [mpm_prefork:notice] [pid 1644] AH00169: caught SIGTERM, shutting down
[Sun Aug 20 18:50:56.802691 2017] [mpm_prefork:notice] [pid 24821] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Aug 20 18:50:56.802777 2017] [core:notice] [pid 24821] AH00094: Command line: '/usr/sbin/apache2'

由於我創建了一個 nonSSL.conf 文件並指向相同的位置,因此在 http 上沒有 https 的站點仍然可以正常載入

你有防火牆問題。請輸入ufw allow proto tcp port 443並提供良好的 https 服務。此外,如果您想為 IPV4 和 IPV6 允許埠 443 proto tcp ,請檢查您是否已IPV6=yes進入。/etc/default/ufw

netstat命令顯示 apache 只監聽 IPv6 地址,而不是 IPv4。這就是你有連接錯誤的原因。檢查httpd配置文件以啟用 IPv4。

引用自:https://serverfault.com/questions/869531