尽管 443 端口已打开,但无法访问 https

尽管 443 端口已打开,但无法访问 https

这是我第一次设置服务器,我刚刚安装了 SSL 证书。我还对 iptable 做了一些更改,以允许访问 443。以下是iptables -L

target     prot opt source         destination
ACCEPT     all  --  anywhere       anywhere        state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:http
ACCEPT     icmp --  anywhere       anywhere
ACCEPT     all  --  anywhere       anywhere
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:smtp
ACCEPT     udp  --  anywhere       anywhere        state NEW udp dpt:smtp
ACCEPT     tcp  --  anywhere       anywhere        tcp dpt:urd
REJECT     all  --  anywhere       anywhere        reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:https

我还通过 ssh 进入服务器检查了 nmap,并从服务器本身运行了 nmap。

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-15 15:31 SGT
Nmap scan report for <my.domain.ip>
Host is up (0.0000050s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
3005/tcp open  deslogin
3031/tcp open  epic

当我远程尝试 telnet [my.domain.ip] 443 时

Trying <my.domain.ip>...
telnet: connect to address <my.domain.ip>: Connection refused
telnet: Unable to connect to remote host

最后,我不知道 nginx.conf 是否起到了作用,但下面是该域的 SSL 代码片段

#include /etc/nginx/conf.d/*.conf;

server {
    listen          <my.domain.ip>:80;
    server_name     mydomain.com www.mydomain.com;
    index           index.html index.htm index.py;
    access_log      /var/log/nginx/mydomain.com.log;
    error_log       /var/log/nginx/mydomain.log.error;
    root            /home/fr/;
    charset         utf-8;

    #error_page 500 502 503 504 /custom_50x.html;
    #location = /custom_50x.html {
    #        internal;
    #}

    location / {
        uwsgi_pass  <my.domain.ip>:3031;
        include     uwsgi_params;
    }

    location /static {
        root        /home/fr/env/FRuler/fruler/;
    }
}

### for ssl  ###
server {
    listen          <my.domain.ip>:80;
    server_name     mydomain.com www.mydomain.com;
    index           index.html index.htm index.py;
    access_log      /var/log/nginx/mydomain.com.log;
    error_log       /var/log/nginx/mydomain.log.error;
    root            /home/fr/;
    charset         utf-8;


    location / {
        uwsgi_pass  <my.domain.ip>:3031;
        include     uwsgi_params;
    }

    location /static {
        root        /home/fr/env/FRuler/fruler/;
    }
}

server {
    listen 443 ssl;
    server_name     mydomain.com www.mydomain.com;
    ssl on;
    ssl_certificate /etc/ssl/mydomain/ssl.crt;
    ssl_certificate_key /etc/ssl/mydomain/server.key;
    server_name mydomain www.mydomain.com;
    access_log  /var/log/nginx/mydomain.com.log;
    error_log   /var/log/nginx/mydomain.log.error;
    location / {
        root /home/fr/;
        index index.html;
    }
}
### end of ssl ###

任何帮助都将受到赞赏。

答案1

iptables 中的顺序很重要,规则是按顺序遍历的。

REJECT     all  --  anywhere       anywhere        reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:https

拒绝所有内容后,后续为 HTTPS 打开端口 443 的规则将永远不会被访问,也不会产生任何效果。您的一般拒绝规则应该是最后一条。

相关内容