这是我第一次设置服务器,我刚刚安装了 SSL 证书。我还对 iptable 做了一些更改,以允许访问 443。以下是iptables -L
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
我还通过 ssh 进入服务器检查了 nmap,并从服务器本身运行了 nmap。
Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-15 15:31 SGT
Nmap scan report for <my.domain.ip>
Host is up (0.0000050s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
3005/tcp open deslogin
3031/tcp open epic
当我远程尝试 telnet [my.domain.ip] 443 时
Trying <my.domain.ip>...
telnet: connect to address <my.domain.ip>: Connection refused
telnet: Unable to connect to remote host
最后,我不知道 nginx.conf 是否起到了作用,但下面是该域的 SSL 代码片段
#include /etc/nginx/conf.d/*.conf;
server {
listen <my.domain.ip>:80;
server_name mydomain.com www.mydomain.com;
index index.html index.htm index.py;
access_log /var/log/nginx/mydomain.com.log;
error_log /var/log/nginx/mydomain.log.error;
root /home/fr/;
charset utf-8;
#error_page 500 502 503 504 /custom_50x.html;
#location = /custom_50x.html {
# internal;
#}
location / {
uwsgi_pass <my.domain.ip>:3031;
include uwsgi_params;
}
location /static {
root /home/fr/env/FRuler/fruler/;
}
}
### for ssl ###
server {
listen <my.domain.ip>:80;
server_name mydomain.com www.mydomain.com;
index index.html index.htm index.py;
access_log /var/log/nginx/mydomain.com.log;
error_log /var/log/nginx/mydomain.log.error;
root /home/fr/;
charset utf-8;
location / {
uwsgi_pass <my.domain.ip>:3031;
include uwsgi_params;
}
location /static {
root /home/fr/env/FRuler/fruler/;
}
}
server {
listen 443 ssl;
server_name mydomain.com www.mydomain.com;
ssl on;
ssl_certificate /etc/ssl/mydomain/ssl.crt;
ssl_certificate_key /etc/ssl/mydomain/server.key;
server_name mydomain www.mydomain.com;
access_log /var/log/nginx/mydomain.com.log;
error_log /var/log/nginx/mydomain.log.error;
location / {
root /home/fr/;
index index.html;
}
}
### end of ssl ###
任何帮助都将受到赞赏。
答案1
iptables 中的顺序很重要,规则是按顺序遍历的。
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
拒绝所有内容后,后续为 HTTPS 打开端口 443 的规则将永远不会被访问,也不会产生任何效果。您的一般拒绝规则应该是最后一条。