即使防火墙已打开,Nginx SSL HTTPS 也无法在外部工作

tag-icon tag-icon nginx ssl https ubuntu-14.04
即使防火墙已打开,Nginx SSL HTTPS 也无法在外部工作

HTTP 在服务器和客户端上均可正常工作。HTTP 仅在服务器上有效。我该怎么做才能使 HTTP 在外部正常工作?

从服务器

OpenSSL : OpenSSL 1.0.2g  1 Mar 2016
Nginx   : nginx/1.10.3
OS      : Ubuntu 14.04.5 LTS
NodeJS  : v6.10.2

我的服务器上有一个以127.0.0.1:5000binded 方式运行的 nodejs express 服务器。127.0.0.1

我已经为这个 nodejs express 服务器设置了反向代理。这是我的 nginx 配置文件:

upstream nodejs {
    server 127.0.0.1:5000 fail_timeout=10s;
}

server {
    listen 80;
    listen 443 ssl;
    server_name domain.foo;

    ssl_certificate /etc/letsencrypt/live/domain.foo/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.foo/privkey.pem;

    location /.well-known {
       root /var/www/ssl-proof/default/;
    }

    location / {
        proxy_pass http://nodejs;
        proxy_read_timeout  90;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

Let's Encrypt 运行正常,我已经openssl s_client -connect domain.foo:443从服务器完成操作,并且可以毫无问题地获取证书。curl -k -vvv https://domain.foo也运行正常。

这是ufw status我的服务器上的

443/tcp                    ALLOW       Anywhere
22                         ALLOW       Anywhere
1194                       ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
Nginx HTTP                 ALLOW       Anywhere
Nginx HTTPS                ALLOW       Anywhere
5000                       ALLOW       Anywhere
443/tcp (v6)               ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
1194 (v6)                  ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
Nginx HTTP (v6)            ALLOW       Anywhere (v6)
Nginx HTTPS (v6)           ALLOW       Anywhere (v6)

来自客户

以下是nmap从客户端到服务器的

rDNS record for X.X.X.X: domain.foo
Not shown: 996 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
5000/tcp closed upnp

Nmap done: 1 IP address (1 host up) scanned in 5.75 seconds

当我尝试运行openssl s_client -connect domain.foo:443 -debug -msg. 这是我得到的结果:

CONNECTED(00000003)
write to 0x19a5fc0 [0x19a6040] (315 bytes => 315 (0x13B))
0000 - 16 03 01 01 36 01 00 01-32 03 03 52 50 26 f0 79   ....6...2..RP&.y
0010 - 67 6c 18 e4 dc 90 e4 47-f0 66 62 9a 3b 66 84 8b   gl.....G.fb.;f..
0020 - 81 7e 6f ad cd 61 39 f8-de e4 e1 00 00 b4 c0 30   .~o..a9........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02   .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d   ................
00d0 - c0 0d c0 03 00 0a 00 15-00 12 00 0f 00 0c 00 09   ................
00e0 - 00 ff 01 00 00 55 00 0b-00 04 03 00 01 02 00 0a   .....U..........
00f0 - 00 1c 00 1a 00 17 00 19-00 1c 00 1b 00 18 00 1a   ................
0100 - 00 16 00 0e 00 0d 00 0b-00 0c 00 09 00 0a 00 23   ...............#
0110 - 00 00 00 0d 00 20 00 1e-06 01 06 02 06 03 05 01   ..... ..........
0120 - 05 02 05 03 04 01 04 02-04 03 03 01 03 02 03 03   ................
0130 - 02 01 02 02 02 03 00 0f-00 01 01                  ...........
>>> TLS 1.2  [length 0005]
    16 03 01 01 36
>>> TLS 1.2 Handshake [length 0136], ClientHello
    01 00 01 32 03 03 52 50 26 f0 79 67 6c 18 e4 dc
    90 e4 47 f0 66 62 9a 3b 66 84 8b 81 7e 6f ad cd
    61 39 f8 de e4 e1 00 00 b4 c0 30 c0 2c c0 28 c0
    24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00
    6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00
    87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0
    05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
    23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00
    40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00
    99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0
    2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00
    96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 c0
    12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00
    0a 00 15 00 12 00 0f 00 0c 00 09 00 ff 01 00 00
    55 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00
    17 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00
    0d 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0d 00
    20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04
    01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02
    03 00 0f 00 01 01
read from 0x19a5fc0 [0x19ab5a0] (7 bytes => 0 (0x0))
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1493896114
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

这是tcpdump -vvv port 443上一次调用的服务器上

tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
07:14:35.760888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    domain.foo.htps > li470-25.client.foo.51928: Flags [S.], cksum 0x07a5 (correct), seq 3770024728, ack 3716645599, win 14480, options [mss 1460,sackOK,TS val 1825234083 ecr 129546331,nop,wscale 7], length 0
07:14:35.813457 IP (tos 0x0, ttl 52, id 14982, offset 0, flags [DF], proto TCP (6), length 52)
    li470-25.client.foo.51928 > domain.foo.htps: Flags [.], cksum 0x6e0d (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 129546346 ecr 1825234083], length 0
07:14:35.813698 IP (tos 0x0, ttl 52, id 14983, offset 0, flags [DF], proto TCP (6), length 367)
    li470-25.client.foo.51928 > domain.foo.htps: Flags [P.], cksum 0x22c2 (correct), seq 1:316, ack 1, win 229, options [nop,nop,TS val 129546346 ecr 1825234083], length 315
07:14:35.813717 IP (tos 0x0, ttl 64, id 57281, offset 0, flags [DF], proto TCP (6), length 52)
    domain.foo.htps > li470-25.client.foo.51928: Flags [.], cksum 0x6d08 (correct), seq 1, ack 316, win 122, options [nop,nop,TS val 1825234136 ecr 129546346], length 0
07:14:35.814087 IP (tos 0x0, ttl 64, id 57282, offset 0, flags [DF], proto TCP (6), length 52)
    domain.foo.htps > li470-25.client.foo.51928: Flags [F.], cksum 0x6d07 (correct), seq 1, ack 316, win 122, options [nop,nop,TS val 1825234136 ecr 129546346], length 0
07:14:35.866972 IP (tos 0x0, ttl 52, id 14984, offset 0, flags [DF], proto TCP (6), length 52)
    li470-25.client.foo.51928 > domain.foo.htps: Flags [F.], cksum 0x6c8b (correct), seq 316, ack 2, win 229, options [nop,nop,TS val 129546362 ecr 1825234136], length 0
07:14:35.867009 IP (tos 0x0, ttl 64, id 57283, offset 0, flags [DF], proto TCP (6), length 52)
    domain.foo.htps > li470-25.client.foo.51928: Flags [.], cksum 0x6cc1 (correct), seq 2, ack 317, win 122, options [nop,nop,TS val 1825234189 ecr 129546362], length 0

当我尝试运行时,curl -k -vvv https://domain.foo我得到了以下结果:

* About to connect() to domain.foo port 443 (#0)
*   Trying X.X.X.X.. connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to domain.foo:443 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to domain.foo:443

当我https//domain.foo通过浏览器访问时,我只是得到一个ERR_CONNECTION_CLOSED来自 chrome 的信息。

我该怎么做才能让 HTTPs 在外部工作?

相关内容