我有一个在 CentOS 7 VM 上运行的 Nginx Web 服务器,默认站点已禁用,/etc/nginx/conf.d/mysite.conf 中有两个服务器块
/etc/nginx/conf.d/mysite.conf
server {
listen 443 ssl;
server_name community.mysite.com;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_certificate /media/www/mysite_com/community_cert/community_mysite_com.crt;
ssl_certificate_key /media/www/mysite_com/community_cert/community_mysite_com.key;
add_header Strict-Transport-Security "max-age=31536000";
access_log /media/www/community_mysite_com/requests.log main;
location / {
#This proxy forwards to a NodeBB Installation running on Node.JS
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 80;
server_name community.mysite.com;
return 301 https://$host$request_uri;
}
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
这里的目标是将非 https 请求重定向到 https。问题似乎是在端口 80 上接收了 https 请求。我相信这是真的,因为,
- 所有https页面请求都导致无限循环。
- netstat 显示端口 443 上没有建立连接。
- netstat 显示端口 80 上已建立连接。
我在 iptables 中允许使用 http 和 https 服务。在 Firewalld 中允许使用端口 443 和 80。端口 443 和 80 也在网络防火墙内转发。
netstat 输出:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4128/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4128/nginx: master
tcp 0 0 192.168.1.53:80 111.231.123.11:10471 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:10116 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:29768 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:36415 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:11619 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:33847 ESTABLISHED 4129/nginx: worker
iptables 输出:
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:tram ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:http ctstate NEW
防火墙公共区域:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: dhcpv6-client http https samba ssh
ports: 443/tcp 80/tcp 4567/tcp 80/udp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
我该如何调试为什么 Nginx 似乎在端口 80 上接收端口 443 请求?我可能错过了什么吗?
我已通过从服务器块中删除它来禁用反向代理,但它仍然会出现同样的问题。我尝试了多种网络浏览器。我尝试清除 Chrome 中的缓存。我重启了虚拟机。
https://community.mysite.com-> 重定向循环。
http://community.mysite.com重定向到https://community.mysite.com-> 重定向循环。-
https://community.mysite.com:443> 重定向循环。
:编辑:
我安装了另一个 Web 服务器,结果完全相同。我猜这与 CentOS 或 ESXI 有关。
答案1
经过一天半的搜索,我发现这个问题不是由我的内部网络引起的,也不是由任何操作系统引起的。
我完全忘记了我的 DNS 是通过 CloudFlare 路由的,而 CloudFlare 已将 SSL 设置为“灵活”模式。将其设置为“完整”或“完整(严格)”可解决此问题。