netstat 输出:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
UFW 处于非活动状态。该网站托管在 Digital Ocean 的一个 droplet 上,他们允许所有端口。如果我运行 tcpdump 并尝试访问该网站,它会显示连接,但浏览器会返回拒绝连接错误。本地主机上的 nmap 显示端口 443 已打开,但如果我在实际服务器上运行它,它会显示端口已关闭。如上所示,Nginx 正在正确监听端口 443。
Nginx配置文件
user admin root;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'$ssl_protocol/$ssl_cipher ';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
include /etc/nginx/conf.d/*.conf;
}
服务器块
server {
listen 80;
listen 443 ssl;
server_name vechi.juristnet.ro;
ssl_certificate /etc/letsencrypt/live/juristnet.ro/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/juristnet.ro/privkey.pem;
root /var/juristnet/stable;
location / {
index index.php index.html;
rewrite_log on;
rewrite ^\/([a-zA-Z-]*)\/?([a-zA-Z-]*)$ /index.php?page=$1&subpage=$2 last;
}
location /.well-known/{
allow all;
}
location ~ \.php$ {
fastcgi_keep_conn on;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}
server {
listen 80;
server_name juristnet.ro www.juristnet.ro;
root /var/test/proiect;
client_max_body_size 10M;
location = /favicon.ico
{
access_log off; log_not_found off;
alias /var/test/proiect/favicon.ico;
}
location /static/
{
autoindex on;
}
location /assets/
{
autoindex on;
alias /var/test/proiect/assets/;
}
location ~ /.well-known/
{
allow all;
}
location / {
include /etc/nginx/fastcgi_params;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass http://unix:/var/test/proiect/Tutorial2.sock;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
}
}
编辑:netstat -tulepn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 7246832 8864/nginx.conf
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 12588 1003/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 109 13486 1131/postgres
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 7246833 8864/nginx.conf
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 108 15831 1067/mysqld
tcp6 0 0 :::8080 :::* LISTEN 107 18201 1356/java
tcp6 0 0 :::22 :::* LISTEN 0 12594 1003/sshd
tcp6 0 0 :::30845 :::* LISTEN 0 14246 1207/docker-proxy
TCPdump 输出:
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:28:15.632611 IP 82.208.159.43.60840 > 46.101.111.197.https: Flags [S], seq 419699944, win 29200, options [mss 1380,sackOK,TS val 17904800 ecr 0,nop,wscale 7], length 0
16:28:15.632776 IP 82.208.159.43.24434 > 46.101.111.197.https: Flags [S], seq 1740044749, win 29200, options [mss 1380,sackOK,TS val 17904800 ecr 0,nop,wscale 7], length 0
16:28:15.632940 IP 46.101.111.197.https > 82.208.159.43.60840: Flags [R.], seq 0, ack 419699945, win 0, length 0
16:28:15.632964 IP 46.101.111.197.https > 82.208.159.43.24434: Flags [R.], seq 0, ack 1740044750, win 0, length 0
更新:iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 2106 packets, 120K bytes)
pkts bytes target prot opt in out source destination
2604 148K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 2084 packets, 118K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16610 packets, 1025K bytes)
pkts bytes target prot opt in out source destination
7017 421K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 17125 packets, 1055K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:443
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30845 to:172.17.0.2:80
515 29760 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.17.0.2:443
答案1
这不是适合所有人的解决方案,但就我而言,这与 Docker 有关。我没有在我的网站上使用它,但我认为它仍然以某种方式干扰了连接。我停止了服务,现在它可以正常工作了。我可以通过添加一些规则来公开端口,让它正常工作,但这样做了。