无法在 Ubuntu 服务器上使用 apache2 运行 SSL,端口 443 似乎未打开

无法在 Ubuntu 服务器上使用 apache2 运行 SSL,端口 443 似乎未打开

我可以通过 ssh 访问一个服务器,我想通过 https 在该服务器上托管我的网站。我使用的是 apache,到目前为止,该网站的 http 版本运行正常。

尝试 SSL 时,事情就不工作了。我根本无法加载 https 站点。我相信我已经将问题缩小到这样一个事实:对于外界来说,端口 443 似乎已关闭,如下图使用 nmap 所示。

matthias@outsideworld:~$ nmap domain.com

Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-11 15:13 GMT
Nmap scan report for domain.com (ip.is.here.yes)
Host is up (0.0097s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

但是如果我通过 ssh 在服务器上运行 nmap 之类的东西,看起来 443 是开放的,

matthias@server:~$ nmap domain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2016-03-11 15:12 GMT
Nmap scan report for domain.com (ip.is.here.yes)
Host is up (0.00036s latency).
rDNS record for ip.is.here.yes: domain.domain.com
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

更多细节

看起来 Apache 确实在监听 443,

matthias@server:~$ netstat -ln | grep -E ':80|443'
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN

如果我真的被难住了,我就不会问这个问题。我尝试使用 iptables 打开端口,但似乎也没有任何效果,而且 ufw 被禁用了。这是当前的iptables --list,但我也尝试了一些其他配置,但都无济于事。

matthias@server:~$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere 

最后但并非最不重要的一点是,这是我正在使用的 mysite.conf 文件。仅供参考,在使用笔记本电脑作为接入点的本地网络上使用时,此配置确实可以正确提供 https。

<VirtualHost *:80>
    <If "req('Host') == '127.0.0.1'" >
        Redirect "/" "https://local.domain.com/"
    </If>
    <ElseIf "req('Host') == 'localhost'" >
        Redirect "/" "https://local.domain.com/"
    </ElseIf>
    <ElseIf "req('Host') == 'domain.com'" >
        #Redirect "/" "https://domain.com/"
    </ElseIf>
    <Else>
            Redirect "/" "https://ap.domain.com/"
    </Else>
</VirtualHost>

IncludeOptional path-to/Local/etc/apache2/vhosts/*.conf
#NameVirtualHost *:443 

<VirtualHost *:443>
    ServerAdmin [email protected]
    <IfModule mod_ssl.c>
        SSLEngine on
        SSLCertificateFile path-to-cert.crt
        SSLCertificateKeyFile path-to-key.key
    </IfModule>     

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    LogLevel info
    ErrorLog path-to/Local/Log/error.log
    CustomLog path-to/Local/Log/access.log combined

</VirtualHost>

<IfModule mpm_worker_module>
    ServerLimit          40
    StartServers          2
    MaxRequestWorkers   1000
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

您可以在上面的 mysite.conf 中看到“IncludeOptional/*.conf”文件的所有内容,

WSGIDaemonProcess ourapp user=matthias group=matthias processes=2 threads=5
WSGIProcessGroup ourapp
WSGIPassAuthorization On

# The WSGI directory
<Directory path-to/Local/WSGI>
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Require all granted
    Allow from all
</Directory>

# The Backend Stuff
WSGIScriptAlias /generate_204 path-to/Local/WSGI/backend_204.wsgi
# The Backend Stuff
WSGIScriptAlias /backend path-to/Local/WSGI/backend_db.wsgi
DocumentRoot path-to/website/app

<Directory path-to/website/app>
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Require all granted
    Allow from all
</Directory>

Alias /rootCA.pem path-to/Local/etc/ssl/certs/rootCA.pem

<Directory path-to/Local/etc/ssl/certs>
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Require all granted
    Allow from all
</Directory>

知道发生什么事了吗?

答案1

事实证明,确实是我的 ISP 没有打开端口 443。纠正之后,网站就可以正常运行了。

相关内容