在我的 LAN 上,所有托管在 nginx 机器上的网站都可以正常加载。当在 LAN 之外时,它们通常根本不会加载,如果加载,则需要多次单击刷新按钮并花几分钟才能加载图像。带有 CSS 的页面似乎在 LAN 之外根本无法加载。当在 LAN 之外但连接到 VPN 时,一切正常。Nginx 错误日志未显示任何错误。来自 LAN 的请求和来自互联网的请求的访问日志看起来相同。
我在 Debian Wheezy 上运行 nginx 1.2.1
这是 nginx 配置:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml >application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# See: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache->nginx-and-openssl-for-forward-secrecy
# This MUST come AFTER the lines that includes .../sites-enabled/*, otherwise SSLv3 >support may be re-enabled accidentally.
include perfect-forward-secrecy.conf;
}
以及有问题的站点 .vhost(这适用于所有 vhost,并且都与此配置类似):
server {
listen *:80;
listen *:443 ssl;
ssl_certificate /var/www/clients/client1/web2/ssl/domain.com.crt;
ssl_certificate_key /var/www/clients/client1/web2/ssl/domain.com.key;
server_name domain.com www.domain.com;
# if ($ssl_protocol = "") {
# rewrite ^ https://$server_name$request_uri? permanent;
# }
root /var/www/domain.com/web;
index index.html index.htm index.php index.cgi index.pl index.xhtml;
location ~ \.shtml$ {
ssi on;
}
error_page 400 /error/400.html;
error_page 401 /error/401.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 405 /error/405.html;
error_page 500 /error/500.html;
error_page 502 /error/502.html;
error_page 503 /error/503.html;
recursive_error_pages on;
location = /error/400.html {
internal;
}
location = /error/401.html {
internal;
}
location = /error/403.html {
internal;
}
location = /error/404.html {
internal;
}
location = /error/405.html {
internal;
}
location = /error/500.html {
internal;
}
location = /error/502.html {
internal;
}
location = /error/503.html {
internal;
}
error_log /var/log/ispconfig/httpd/domain.com/error.log;
access_log /var/log/ispconfig/httpd/domain.com/access.log combined;
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /stats/ {
index index.html index.php;
auth_basic "Members Only";
auth_basic_user_file /var/www/clients/client1/web2/web/stats/.htpasswd_stats;
}
location ^~ /awstats-icon {
alias /usr/share/awstats/icon;
}
location ~ \.php$ {
try_files /ae8f1ab378db095df6da2b73d9d970b5.htm @php;
}
location @php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/lib/php5-fpm/web2.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
location /cgi-bin/ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
root /var/www/clients/client1/web2;
gzip off;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
}
该服务器的 LAN IP 为 192.168.15.33,位于防火墙后面。在防火墙上,我尝试刷新规则,然后一次重新设置一条规则。以下是在启动时加载的规则文件:
# Generated by iptables-save v1.4.14 on Thu Jun 5 07:54:47 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [128367:93659631]
:OUTPUT ACCEPT [11855:3741587]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 20091 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 20092 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 20093 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i tun1 -j ACCEPT
-A INPUT -i tun2 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 587 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 995 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 5222 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p udp -m udp --dport 5222 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 19983 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p udp -m udp --dport 19984 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 7777 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Thu Jun 5 07:54:47 2014
# Generated by iptables-save v1.4.14 on Thu Jun 5 07:54:47 2014
*nat
:PREROUTING ACCEPT [7015750:481018493]
:INPUT ACCEPT [1286947:100210418]
:OUTPUT ACCEPT [1606496:123095807]
:POSTROUTING ACCEPT [6831463:714772610]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.15.33:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.15.33:587
-A PREROUTING -i eth0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.15.33:995
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.15.33:143
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.15.33:5222
-A PREROUTING -i eth0 -p udp -m udp --dport 5222 -j DNAT --to-destination 192.168.15.33:5222
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.33:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.33:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.15.33:7777
-A PREROUTING -i eth0 -p tcp -m tcp --dport 19983 -j DNAT --to-destination 192.168.15.109:19983
-A PREROUTING -i eth0 -p udp -m udp --dport 19984 -j DNAT --to-destination 192.168.15.109:19984
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o tun1 -j MASQUERADE
-A POSTROUTING -o tun2 -j MASQUERADE
COMMIT
# Completed on Thu Jun 5 07:54:47 2014
我不确定这是防火墙问题、nginx 问题还是其他问题,甚至不知道下一步该如何解决这个问题。