yum HTTP 错误 403 - 在 AWS 上被禁止通过 NAT 访问

tag-icon tag-icon linux centos amazon-web-services nat yum
yum HTTP 错误 403 - 在 AWS 上被禁止通过 NAT 访问

当我尝试yum update在 AWS 上实例 NAT 后面的 centos 7 服务器上运行它时遇到了一些奇怪的问题。

Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=genclo error was
14: HTTP Error 403 - Forbidden


One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Disable the repository, so yum won't use it by default. Yum will then
    just ignore the repository until you permanently enable it again or use
    --enablerepo for temporary usage:

        yum-config-manager --disable <repoid>

 4. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64

现在尝试从我用作 NAT 实例的实例中使用 curl 得到正确的响应:

curl -vvv 'http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=genclo

http://mirror.strencom.net/centos/7.2.1511/os/x86_64/
http://ftp.heanet.ie/pub/centos/7.2.1511/os/x86_64/
http://www.mirrorservice.org/sites/mirror.centos.org/7.2.1511/os/x86_64/
http://mirrors.ukfast.co.uk/sites/ftp.centos.org/7.2.1511/os/x86_64/
http://anorien.csc.warwick.ac.uk/mirrors/centos/7.2.1511/os/x86_64/
http://mirrors.vooservers.com/centos/7.2.1511/os/x86_64/
http://centos.serverspace.co.uk/centos/7.2.1511/os/x86_64/
http://mirror.ox.ac.uk/sites/mirror.centos.org/7.2.1511/os/x86_64/
http://mirrors.melbourne.co.uk/sites/ftp.centos.org/centos/7.2.1511/os/x86_64/
 http://mirror.vorboss.net/centos/7.2.1511/os/x86_64/

日期是正确的,所以我现在很困惑。我开始考虑迁移到 AWS Linux。

谢谢你的帮助:)

更新:我使用 EIP 访问同一个实例,yum 正常运行,所以我猜想这是 NAT 问题。我仍然不明白为什么。

答案1

错误 403 是 http 响应代码,与 IP(第 3 层)路由/NAT 问题无关。可能的原因:

  1. 您的 NAT 实例配置有问题
  2. 您正在使用第 7 层反向代理(检查代理变量、yum.conf 等)
  3. 您正在使用透明代理服务器
  4. mirrorlist.centos.org 确实不喜欢你:)

答案2

为了在 NAT 实例后面进行互联网访问,您的默认路由您的私有子网中需要内部的NAT 实例的 ENI - 请参阅文档

此外,您的 NAT EC2 实例需要具有源/目的地检查已禁用 - 请参阅这里。我还会确保你已经遵循并理解亚马逊文档使用 NAT EC2 实例。

为了方便使用,我建议使用AWS NAT 网关,它提供与 EC2 实例相同的功能,但无需设置 OS 防火墙。

答案3

我遇到了同样的问题。它与 s3 vpc 端点的策略有关(因为我们有一个 s3 端点,所以流量不会通过 NAT)。

将其更改为类似内容(根据需要调整存储桶名称)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::amazonlinux.ap-southeast-2.amazonaws.com/*",
                "arn:aws:s3:::amazonlinux-2-repos-ap-southeast-2/*"
            ]
        }
    ]
}

包含更多信息的文章:

相关内容