我正在搭建一个新的 HTTPS 服务器,希望能够公开使用。它运行在 Ubuntu 16.04 上。
我遇到了无法远程访问该网站的问题。我已经正确配置了允许访问相应服务器的路由器,实际上,服务器 UFW 日志似乎显示请求确实进入,但被阻止了:
Mar 5 07:07:18 oc9 kernel: [35729.338614] [UFW BLOCK] IN=ens32 OUT= MAC=00:0c:29:53:67:c0:2c:56:dc:54:96:a8:08:00 SRC=192.168.158.175 DST=192.168.158.64 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52285 DF PROTO=TCP SPT=47801 DPT=515 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 5 07:08:01 oc9 kernel: [35772.752517] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Mar 5 07:08:56 oc9 kernel: [35827.268215] [UFW BLOCK] IN=ens33 OUT= MAC=01:00:5e:00:00:01:40:b7:f3:dd:a5:40:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar 5 07:10:06 oc9 kernel: [35897.823432] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
我正在使用 UFW,它的状态是:
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80,443/tcp (Apache Full) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
我知道这里要包含的最后一件事是来自 iptables -vL 的输出,但我不知道我在这里看的是什么。
Chain INPUT (policy DROP 835 packets, 34384 bytes)
pkts bytes target prot opt in out source destination
57949 3365K ufw-before-logging-input all -- any any anywhere anywhere
57949 3365K ufw-before-input all -- any any anywhere anywhere
53255 2900K ufw-after-input all -- any any anywhere anywhere
835 34384 ufw-after-logging-input all -- any any anywhere anywhere
835 34384 ufw-reject-input all -- any any anywhere anywhere
835 34384 ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- any any anywhere anywhere
0 0 ufw-before-forward all -- any any anywhere anywhere
0 0 ufw-after-forward all -- any any anywhere anywhere
0 0 ufw-after-logging-forward all -- any any anywhere anywhere
0 0 ufw-reject-forward all -- any any anywhere anywhere
0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3514 644K ufw-before-logging-output all -- any any anywhere anywhere
3514 644K ufw-before-output all -- any any anywhere anywhere
75 5592 ufw-after-output all -- any any anywhere anywhere
75 5592 ufw-after-logging-output all -- any any anywhere anywhere
75 5592 ufw-reject-output all -- any any anywhere anywhere
75 5592 ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
772 60972 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
879 215K ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
203 12180 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
19 7798 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
50547 2570K ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
835 34384 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
160 11840 ACCEPT all -- lo any anywhere anywhere
4481 448K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
1 40 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
1 40 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
3 252 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
4 1312 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
53300 2903K ufw-not-local all -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
53300 2903K ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
160 11840 ACCEPT all -- any lo anywhere anywhere
3279 627K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
75 5592 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
1 40 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
587 36448 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
564 18056 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
52149 2848K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
52420 2866K DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
16 960 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
59 4632 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
43 2532 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https /* 'dapp_Apache%20Full' */
2 104 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
这是“ss -ltnp”的输出:
State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:3306 : users:(("mysqld",pid=1594,fd=16)) LISTEN 0 128 *:22 : users:(("sshd",pid=1285,fd=3)) LISTEN 0 128 :::80 :::* users:(("apache2",pid=1947,fd=4),("apache2",pid=1944,fd=4),("apache2",pid=1943,fd=4),("apache2",pid=1942,fd=4),("apache2",pid=1941,fd=4),("apache2",pid=1940,fd=4),("apache2",pid=1937,fd=4)) LISTEN 0 128 :::22 :::* users:(("sshd",pid=1285,fd=4)) LISTEN 0 128 :::443 :::* users:(("apache2",pid=1947,fd=6),("apache2",pid=1944,fd=6),("apache2",pid=1943,fd=6),("apache2",pid=1942,fd=6),("apache2",pid=1941,fd=6),("apache2",pid=1940,fd=6),("apache2",pid=1937,fd=6))
这是“openssl s_client -connect 192.168.158.158:443”的输出:
openssl s_client -connect 192.168.158.158:443 CONNECTED(00000003) depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected]
verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected]
verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
i:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
--- Server certificate -----BEGIN CERTIFICATE----- MIID6TCCAtGgAwIBAgIJANpH0YKSCE+FMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD et cetera q3jJ5FRjd6cWaPKJ25UeMdKJCbpCnmlLadMy3oSDTfqk3UTymhUiJhIgm9S2 -----END CERTIFICATE----- subject=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
issuer=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
--- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1517 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: AAC21087FEAB3ED0D391F3C5AF78FCCF717AE456D107591B7B9FDADD03E44D4C Session-ID-ctx: Master-Key: 9FA0F50D914170495DCEDFE73AEA1AFDC86491C814F582794C4D55C2265EDC1415A57ADC282992ADF5DC6AF4161F6D19 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1488762616 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
我可以检查什么来查看哪里出了问题?
答案1
在 iptables 输出中,您要查找的内容位于链 ufw-user-input 中
第一行启用端口 80 和 443,其中说明multiport dports http,https
我认为您误读了 ufw 日志。您看到DST=224.0.0.1它意味着您的防火墙阻止了多播,并且在第一行您可以看到DPT=515这意味着目标端口是 515 而不是 443。
为了确保防火墙不会阻止你,你可以尝试在远程主机上运行telnet $HTTP_SERVER 443。如果你被阻止,你应该立即被拒绝连接,因为你的基本策略是deny
答案2
事实证明,AT&T 对其固件进行了更改后,NVG589 路由器不会将 NAT/游戏流量定向到新的 DHCP 派生地址。如果您在固件升级时指定了动态地址,这似乎没问题,但任何新地址都不会被端口直通所接受。没有错误消息,没有警告,完全没有迹象表明它为什么不起作用或它是否正常工作 - 也没有办法查看防火墙在做什么。
无论如何,这个问题可以通过为服务器指定一个固定的 IP 地址(在路由器上),然后重新配置 HTTPS 协议来解决。