我有一台 Apache 服务器,如果我只使用 http,它可以很好地为我的网站提供服务,但我无法通过 https 连接到它。我梳理了所有错误日志,但一无所获。我尝试了此站点上其他答案中的几项操作,包括允许端口 443 通过防火墙并重新启动 iptables,以及禁用 SELinux。这些都没有起作用,所以我怀疑我的配置有问题。
这是我的虚拟主机:
Listen 80
Listen 443
NameVirtualHost *:80
<VirtualHost *:80>
ServerName myurl.com
Redirect permanent / https://myurl.com:443
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName myurl.com
Alias /static /path/to/my/app/static
WSGIScriptAlias / /path/to/my/app/wsgi.py
<Directory /path/to/my/app>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/ssl.crt/myurl.com.crt
SSLCertificateChainFile /etc/ssl/ssl.crt/myurl.com.ca-bundle
SSLCertificateKeyFile /etc/ssl/ssl.key/myurl.com.key
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
以下是 的输出netstat -ltpn:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1122/rpcbind
tcp 0 0 0.0.0.0:42675 0.0.0.0:* LISTEN 5774/rpc.statd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 27100/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 5806/cupsd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 12076/postmaster
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6011/master
tcp 0 0 :::111 :::* LISTEN 1122/rpcbind
tcp 0 0 :::80 :::* LISTEN 5860/httpd
tcp 0 0 :::22 :::* LISTEN 27100/sshd
tcp 0 0 ::1:631 :::* LISTEN 5806/cupsd
tcp 0 0 ::1:5432 :::* LISTEN 12076/postmaster
tcp 0 0 ::1:25 :::* LISTEN 6011/master
tcp 0 0 :::443 :::* LISTEN 5860/httpd
tcp 0 0 :::40040 :::* LISTEN 5774/rpc.statd
和curl -v https://myurl.com:
[admin@eusay ~]$ curl -v https://myurl.com
* About to connect() to eusay.eusa.ed.ac.uk port 443 (#0)
* Trying ::1... connected
* Connected to eusay.eusa.ed.ac.uk (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=eusay.eusa.ed.ac.uk,OU=Domain Control Validated
* start date: Jun 26 00:00:00 2014 GMT
* expire date: Jun 25 23:59:59 2017 GMT
* common name: eusay.eusa.ed.ac.uk
* issuer: CN=TERENA SSL CA,O=TERENA,C=NL
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: eusay.eusa.ed.ac.uk
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 15 Aug 2014 19:37:16 GMT
< Server: Apache/2.2.15 (CentOS)
< Vary: Cookie
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: sessionid=zi5oddwgqure8iwnkvd7evrjjt0qe3q8; expires=Fri, 29-Aug-2014 19:37:17 GMT; httponly; Max-Age=1209600; Path=/
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=utf-8
<
接下来是页面的完整 HTML。
答案1
总结一下——Apache 很好。它确实是你的防火墙。
解决防火墙问题,一切都会好起来。
长版本
问题:
使用 curl 进行测试可以验证 Apache 本身是通过 HTTPS 为网站提供服务。也就是说,您使用 curl 进行的测试是从服务器本身进行的。
当我使用 curl 测试 80 和 443 时,我的结果与您的不同。在 80 上,我按预期获得了 HTTP 301。但是,当我尝试访问您网站的 HTTPS 版本时,我收到了 ICMP HOST UNREACHEABLE。
换句话说,你的防火墙是拒绝发往 Web 服务器上 TCP 443 的数据包。
解决方案:
查找 TLS 流量从外部被阻止,然后修复它。
运行iptables -L -v -n以查看实际存在的规则。您可能需要添加规则以明确允许流量,例如:
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
或者删除阻止它的规则,或者甚至两者兼而有之。
支持证据
输出curl -v http://eusay.eusa.ed.ac.uk
* 重建 URL 至:http://eusay.eusa.ed.ac.uk/ * DNS 缓存中未找到主机名 * 尝试 129.215.116.90... * 连接到 eusay.eusa.ed.ac.uk (129.215.116.90) 端口 80 (#0) > 获取/HTTP/1.1 > 用户代理:curl/7.35.0 > 主机:eusay.eusa.ed.ac.uk > 接受:*/* > 301 永久移动</title> </head><body> <h1>永久移动</h1> <p>该文件已移至<a href="https://eusay.eusa.ed.ac.uk:443">此处</a>。</p> <小时> <address>eusay.eusa.ed.ac.uk 端口 80 上的 Apache/2.2.15 (CentOS) 服务器</address> </body> </html> * 关闭连接 0
输出curl -v https://eusay.eusa.ed.ac.uk
* 重建 URL 至:https://eusay.eusa.ed.ac.uk/ * DNS 缓存中未找到主机名 * 尝试 129.215.116.90... * 连接到 129.215.116.90 端口 443 失败:没有到主机的路由 * 无法连接到 eusay.eusa.ed.ac.uk 端口 443:没有到主机的路由 * 关闭连接 0 curl:(7)无法连接到 eusay.eusa.ed.ac.uk 端口 443:没有到主机的路由