我可以通过 ssh 访问一个服务器,我想通过 https 在该服务器上托管我的网站。我使用的是 apache,到目前为止,该网站的 http 版本运行正常。
尝试 SSL 时,事情就不工作了。我根本无法加载 https 站点。我相信我已经将问题缩小到这样一个事实:对于外界来说,端口 443 似乎已关闭,如下图使用 nmap 所示。
matthias@outsideworld:~$ nmap domain.com
Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-11 15:13 GMT
Nmap scan report for domain.com (ip.is.here.yes)
Host is up (0.0097s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
但是如果我通过 ssh 在服务器上运行 nmap 之类的东西,看起来 443 是开放的,
matthias@server:~$ nmap domain.com
Starting Nmap 6.40 ( http://nmap.org ) at 2016-03-11 15:12 GMT
Nmap scan report for domain.com (ip.is.here.yes)
Host is up (0.00036s latency).
rDNS record for ip.is.here.yes: domain.domain.com
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
更多细节
看起来 Apache 确实在监听 443,
matthias@server:~$ netstat -ln | grep -E ':80|443'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
如果我真的被难住了,我就不会问这个问题。我尝试使用 iptables 打开端口,但似乎也没有任何效果,而且 ufw 被禁用了。这是当前的iptables --list,但我也尝试了一些其他配置,但都无济于事。
matthias@server:~$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
最后但并非最不重要的一点是,这是我正在使用的 mysite.conf 文件。仅供参考,在使用笔记本电脑作为接入点的本地网络上使用时,此配置确实可以正确提供 https。
<VirtualHost *:80>
<If "req('Host') == '127.0.0.1'" >
Redirect "/" "https://local.domain.com/"
</If>
<ElseIf "req('Host') == 'localhost'" >
Redirect "/" "https://local.domain.com/"
</ElseIf>
<ElseIf "req('Host') == 'domain.com'" >
#Redirect "/" "https://domain.com/"
</ElseIf>
<Else>
Redirect "/" "https://ap.domain.com/"
</Else>
</VirtualHost>
IncludeOptional path-to/Local/etc/apache2/vhosts/*.conf
#NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin [email protected]
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile path-to-cert.crt
SSLCertificateKeyFile path-to-key.key
</IfModule>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
LogLevel info
ErrorLog path-to/Local/Log/error.log
CustomLog path-to/Local/Log/access.log combined
</VirtualHost>
<IfModule mpm_worker_module>
ServerLimit 40
StartServers 2
MaxRequestWorkers 1000
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
您可以在上面的 mysite.conf 中看到“IncludeOptional/*.conf”文件的所有内容,
WSGIDaemonProcess ourapp user=matthias group=matthias processes=2 threads=5
WSGIProcessGroup ourapp
WSGIPassAuthorization On
# The WSGI directory
<Directory path-to/Local/WSGI>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
Allow from all
</Directory>
# The Backend Stuff
WSGIScriptAlias /generate_204 path-to/Local/WSGI/backend_204.wsgi
# The Backend Stuff
WSGIScriptAlias /backend path-to/Local/WSGI/backend_db.wsgi
DocumentRoot path-to/website/app
<Directory path-to/website/app>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
Allow from all
</Directory>
Alias /rootCA.pem path-to/Local/etc/ssl/certs/rootCA.pem
<Directory path-to/Local/etc/ssl/certs>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
Allow from all
</Directory>
知道发生什么事了吗?
答案1
事实证明,确实是我的 ISP 没有打开端口 443。纠正之后,网站就可以正常运行了。