我正在路由器上设置 Apache(我已在路由器上安装了 Tomato,这是一个基于 Linux 的自定义固件包)。我已成功安装 Apache,并相信已正确配置它,但无法加载默认的“它有效!”页面。
运行 netstat 后,每次尝试通过浏览器访问服务文件时,我都可以看到“Recv-Q”列中的值不断增加,但 Apache 似乎不会或无法响应请求。跟踪 Apache error_log 也没有任何结果。
有谁看到了什么明显的问题,或者对如何让事情正常运转有什么建议吗?我可以提供其他有用的信息吗?
netstat 输出示例(参见第 5 个条目,地址为“:::www”:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:52698 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1338 0.0.0.0:* LISTEN
tcp 4 0 :::www :::* LISTEN
tcp 0 0 :::domain :::* LISTEN
tcp 0 0 :::ssh :::* LISTEN
tcp 0 0 :::telnet :::* LISTEN
tcp 0 0 localhost:52698 :::* LISTEN
tcp 0 0 :::1338 :::* LISTEN
udp 0 0 localhost:38032 0.0.0.0:*
udp 0 0 0.0.0.0:5038 0.0.0.0:*
udp 0 0 0.0.0.0:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 0.0.0.0:60648 0.0.0.0:*
udp 0 0 0.0.0.0:49518 0.0.0.0:*
udp 0 0 0.0.0.0:38000 0.0.0.0:*
udp 0 0 :::domain :::*
raw 0 0 0.0.0.0:255 0.0.0.0:* 255
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 13850 /opt/var/apache2/run/cgisock.1325
Apache error_log 内容:
[Wed Feb 13 16:05:16 2013] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 13 16:05:16 2013] [notice] Digest: done
[Wed Feb 13 16:05:16 2013] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Feb 13 16:05:16 2013] [info] LDAP: SSL support available
[Wed Feb 13 16:05:16 2013] [info] mod_unique_id: using ip addr 192.168.253.1
[Wed Feb 13 16:05:17 2013] [notice] Apache/2.2.20 (Unix) DAV/2 configured -- resuming normal operations
更新:尽管我已经打开了端口 80(和 443),但防火墙似乎阻止了传入的请求。
防火墙消息(已清理的地址信息,x = 本地,y = 远程):
Feb 13 16:53:15 UBERnet user.warn kernel: DROP IN=vlan2 OUT= MACSRC=xx:xx:xx:xx:xx:xx MACDST=yy:yy:yy:yy:yy:yy MACPROTO=0800 SRC=yyy.yyy.yyy.yyy DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=57 ID=48272 DF PROTO=TCP SPT=43229 DPT=80 SEQ=3727060622 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056404020000)
iptables -L 输出:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
shlimit tcp -- anywhere anywhere tcp dpt:1338 state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:1337
ACCEPT tcp -- anywhere anywhere tcp dpt:1338
logdrop all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:www
Chain FORWARD (policy DROP)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.253.0/255.255.255.0 name: lan
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
monitor all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain logdrop (2 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `DROP '
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `REJECT '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain monitor (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere WEBMON --max_domains 1000 --max_searches 1000
Chain shlimit (2 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: shlimit side: source
logdrop all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
更新:顺便说一句,我仅通过调整 iptables 就能让 lighttpd 正常工作,因此看来这是一个特定于 Apache 配置的问题。
答案1
我不知道可能是什么问题,但下一步可能是用 strace 附加到监听进程(及其分支)并查看尝试连接时发生的情况。
strace -o apache.strace -f -p $PID
将结果放入文件 apache.strace。
答案2
在防火墙的 INPUT 链中,logdrop
line 会终止您的连接。这是一个用于丢弃所有不需要的流量的万能链。规则处理永远不会到达 Web 规则。您必须将 ACCEPT 规则多于规则logdrop
。
答案3
出了点问题。Apache 仅监听 IPv6。您能否将Listen
Apache 配置文件中的参数更改为
Listen 0.0.0.0:80
然后重新启动 Apache。再次执行 netstat,确保输出包含 0.0.0.0:www 或类似 IPv4 的内容。