我正在设置 Varnish 和 Hitch 来为我的 Drupal 网站提供传入的 HTTP 和 HTTPS 请求。Drupal 网站在 Digital Ocean VPS 上的 Nginx 上运行,并监听端口 80 和 443。我已将所有服务器块更改为监听端口 8080。我已将 Varnish 配置为在同一台机器上监听 80。我创建了一个 shell 脚本来设置 iptables。该脚本包含以下几行
iptables -F
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -L -n
iptables-save | sudo tee /etc/sysconfig/iptables
service iptables restart
当我执行上述脚本后列出 iptables 规则时,这是输出
sridhar@SastraTechnologies:~$ sudo iptables -L
[sudo] password for sridhar:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:9999
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:munin
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION (0 references)
target prot opt source destination
http-alt 是端口 8080,因为这是我的 iptables shell 脚本中的最后一条规则。但是,当我尝试 telnet 时,我收到“连接被拒绝”错误
sridhar@SastraTechnologies:~$ telnet localhost 8080
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
尝试使用笔记本电脑上的 curl 来获取标头,检查 varnish 是否能够连接到 Nginx,这是输出(出于显而易见的原因,IP 地址被混淆了)
sridhar@sridhar-HP-Laptop-15-bs0xx:~$ curl -I 139.99.99.99
HTTP/1.1 503 Backend fetch failed
Date: Mon, 11 Jan 2021 08:57:53 GMT
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
X-Varnish: 4271
Age: 0
Via: 1.1 varnish-v4
Connection: keep-alive
但是,如果我使用 netstat 检查端口状态,我发现 Nginx 正在监听端口 8080
sridhar@SastraTechnologies:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 2246/varnishd
tcp 0 0 127.0.0.1:8999 0.0.0.0:* LISTEN 1543/perl
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 541/php-fpm.conf)
tcp 0 0 139.99.99.99:3306 0.0.0.0:* LISTEN 1472/mysqld
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 9050/sshd
tcp 0 0 139.99.99.99:8080 0.0.0.0:* LISTEN 4071/nginx -g daemo
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2246/varnishd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4071/nginx -g daemo
tcp6 0 0 :::9999 :::* LISTEN 9050/sshd
tcp6 0 0 :::80 :::* LISTEN 2246/varnishd
tcp6 0 0 :::4949 :::* LISTEN 7923/perl
但是它只监听公网 IP 上的 80 端口,而不是所有 IP,其他端口的情况不一样。我是不是漏掉了什么?如何让 Varnish 可以访问 8080 端口?
编辑
系统单元文件内容
[Unit]
Description=Varnish HTTP accelerator
Documentation=https://www.varnish-cache.org/docs/4.1/ man:varnishd
[Service]
Type=simple
LimitNOFILE=131072
LimitMEMLOCK=82000
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F -a :80 -T localhost:6082 -f /etc/varnish/default.vcl -S /etc/varnish/secret -s malloc,256m
ExecReload=/usr/share/varnish/reload-vcl
ProtectSystem=full
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
[Install]
WantedBy=multi-user.target
Varnish 的后端定义
backend default {
.host = "127.0.0.1";
.port = "8080";
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
}
目前只更改了后端默认配置
Nginx 配置
server {
listen mydomain.co.in:8080;
server_name mydomain.co.in www.mydomain.co.in;
root /home/sridhar/public_html/newanybank/public; ## <-- Your only path reference.
keepalive_timeout 70;
access_log /home/sridhar/public_html/newanybank/log/access.log;
error_log /home/sridhar/public_html/newanybank/log/error.log;
# Enable compression, this will help if you have for instance advagg ^ modue# by serving Gzip versions of the files.
gzip_static on;
index index.php;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
# No no for private
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri $uri/ @rewrite;
expires max;
}
location @rewrite {
# You have 2 options here
# For D7 and above:
# Clean URLs are handled in drupal_environment_initialize().
rewrite ^ /index.php;
# For Drupal 6 and bwlow:
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
#rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
#fastcgi_pass unix:/tmp/phpfpm.sock;
fastcgi_pass 127.0.0.1:9000;
}
# Fighting with Styles? This little gem is amazing.
# This is for D6
#location ~ ^/sites/.*/files/imagecache/ {
# This is for D7 and D8
location ~ ^/sites/.*/files/styles/ {
try_files $uri $uri/ @rewrite;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 365d;
log_not_found off;
add_header Cache-Control "public, no-transform";
}
location ~* \.(pdf|css|html|js|swf)$ {
expires 7d;
log_not_found off;
add_header Cache-Control "public, no-transform";
}
答案1
您的 Nginx 配置中的指令listen mydomain.co.in:8080;可能是问题所在。
Nginx 将仅在网络接口上侦听域解析的 IP。我很清楚,出于隐私考虑,该域名已被删除。但你可能知道我的意思。
139.99.99.99:8080输出中的本地地址也反映了这一点netstat。
该localhost地址无法解析为该 IP 地址,并使用环回接口。所以这可能是它无法工作的原因。
请按如下方式更改您的Nginx监听地址:
listen 8080;
这会将 Nginx 进程绑定到该服务器上所有可用的网络接口,包括localhost。