我用 Raspberry Pi 运行两个网站。直到最近,它们都运行得很好。后来我搬家了,现在什么都行不通了。出于各种原因,我认为搬家不是问题所在。我的设置是:互联网 -> ISP 路由器 -> 内部路由器 -> Raspberry Pi。我在 ISP 路由器上进行了端口转发,端口转发为 80:80 和 443:443。内部路由器也是如此。为什么要用两个路由器?ISP 不允许您使用自己的路由器,因此我使用以太网电缆从他们的路由器连接到我的路由器(LAN 1 到 WAN),并且它对所有设备都运行良好。我甚至可以从 Raspberry Pi 访问互联网,所以我认为这是一个 Herring Rouge。如果我运行
curl --head -iL sarahcorballis.com
我最终得到:
curl: (7) Failed to connect to sarahcorballis.com port 80: Connection timed out
针对 IP 地址运行 ping 操作有效。
如果我运行 letsencrypt --nginx 然后我会得到这个:
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.corballis.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.corballis.co.uk/.well-known/acme-challenge/aPRcvEhOaTd6kpM5yQQ07VuXRQNWExFocU8U8yW3ywg: Timeout during connect (likely firewall problem), www.sarahcorballis.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.sarahcorballis.com/.well-known/acme-challenge/gFOXzmgjZpHO1DIhgmQkAy8XEi47j7kJUHyo6ftzbuM: Timeout during connect (likely firewall problem), corballis.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://corballis.co.uk/.well-known/acme-challenge/w4cSZkJZWrAcmDSPQAFuKVgGhP73Lv9SMB59ShFb_uQ: Timeout during connect (likely firewall problem), sarahcorballis.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sarahcorballis.com/.well-known/acme-challenge/8QzVJ45bWes3yjXWTg5DkRIG5gxAjAyIia53tQ3o3HY: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.corballis.co.uk
Type: connection
Detail: Fetching
http://www.corballis.co.uk/.well-known/acme-challenge/aPRcvEhOaTd6kpM5yQQ07VuXRQNWExFocU8U8yW3ywg:
Timeout during connect (likely firewall problem)
Domain: www.sarahcorballis.com
Type: connection
Detail: Fetching
http://www.sarahcorballis.com/.well-known/acme-challenge/gFOXzmgjZpHO1DIhgmQkAy8XEi47j7kJUHyo6ftzbuM:
Timeout during connect (likely firewall problem)
Domain: corballis.co.uk
Type: connection
Detail: Fetching
http://corballis.co.uk/.well-known/acme-challenge/w4cSZkJZWrAcmDSPQAFuKVgGhP73Lv9SMB59ShFb_uQ:
Timeout during connect (likely firewall problem)
Domain: sarahcorballis.com
Type: connection
Detail: Fetching
http://sarahcorballis.com/.well-known/acme-challenge/8QzVJ45bWes3yjXWTg5DkRIG5gxAjAyIia53tQ3o3HY:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
看起来好像流量正在从 http 重定向到 https,因为如果我查看 /var/log/nginx,我会得到这个
2021/01/16 16:41:37 [error] 21244#21244: *1461 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:37 [error] 21244#21244: *1462 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:37 [error] 21244#21244: *1463 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:39 [error] 21244#21244: *1464 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:39 [error] 21244#21244: *1465 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:40 [error] 21244#21244: *1466 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:41 [error] 21244#21244: *1467 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:43 [error] 21244#21244: *1468 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:43 [error] 21244#21244: *1469 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:53:32 [error] 21244#21244: *1470 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 114.119.157.139, server: 0.0.0.0:443
但是 nginx 配置文件中没有重定向。以下是输出sudo nginx -T:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
load_module modules/ngx_http_auth_pam_module.so;
load_module modules/ngx_http_dav_ext_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_image_filter_module.so;
load_module modules/ngx_http_subs_filter_module.so;
load_module modules/ngx_http_upstream_fair_module.so;
load_module modules/ngx_http_xslt_filter_module.so;
load_module modules/ngx_mail_module.so;
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/corballis.co.uk:
server {
listen 80;
listen 443 ssl;
# listen [::]:80;
# listen [::]:443 ssl;
server_name corballis.co.uk www.corballis.co.uk;
# Following line changed to remove nginx-root from the end of the line
root /var/www/corballis.co.uk/system/;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
# configuration file /etc/nginx/sites-enabled/sarahcorballis.com:
server {
listen 80;
listen 443 ssl;
listen [::]:80;
listen [::]:443 ssl;
server_name sarahcorballis.com www.sarahcorballis.com;
root /var/www/sarahcorballis.com/;
index index.html;
try_files $uri $uri/ /index.html;
location ~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
client_max_body_size 50m;
}
以下是nslookup sarahcorballis.com
Server: 10.1.0.1
Address: 10.1.0.1#53
Non-authoritative answer:
Name: sarahcorballis.com
Address: 83.86.93.178
以下是 nmap 扫描的结果:
sarahcorballis.com (83.86.93.178) 的 Nmap 扫描报告主机已启动 (延迟时间为 0.16 秒)。83.86.93.178 的 rDNS 记录:83-86-93-178.cable.dynamic.v4.ziggo.nl
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
110/tcp filtered pop3
143/tcp filtered imap
443/tcp open https
3389/tcp filtered ms-wbt-server
这很奇怪,因为端口 80 根本没有被过滤,它在路由器和 Raspberry Pi 上都对 TCP 开放。以下是 ufw status 的输出:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
5900:5910/tcp ALLOW Anywhere
631/tcp ALLOW Anywhere
9191/tcp ALLOW Anywhere
3306 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
5900:5910/tcp (v6) ALLOW Anywhere (v6)
631/tcp (v6) ALLOW Anywhere (v6)
9191/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
nmap 端口似乎与 ufw 状态不一致。两个路由器上的防火墙都已打开,但单独关闭其中一个或同时关闭两个都不起作用。
欢迎提出任何建议。这已经让我抓狂了好几个星期了!
答案1
好的,我解决了。如果有人有类似的设置,并且将来遇到同样的问题,那么问题在于我删除了第三个网站(不再需要它);但是,该网站有覆盖所有三个网站的 SSL 证书,现在这些证书已经不存在了。更糟糕的是,我没有使用 Letsencrypt,而是使用带有 HSTS 的 Cloudflare 原始证书来确保更强大的安全性。Cloudflare 导致重定向失败,因为没有证书。解决方案:
- 生成新证书 - 每个站点一个
- 将证书(pem 和 key)保存到服务器上的目录中
- 修改 nginx 中的服务器块(/etc/nginx/sites-enabled)以指向正确的目录并确保已启用 http2
- 确保在 Cloudflare 中选择了 SSL Strict。
以下是某个站点的 nginx 配置块:
# configuration file /etc/nginx/sites-enabled/<website>.com:
server {
listen 80;
listen [::]:80;
server_name sarahcorballis.com www.<website>.com;
return 302 http://$server_name$request_uri;
}
server {
# SSL Configuration for Cloudflare
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/<website>.com.pem;
ssl_certificate_key /etc/ssl/private/<website>.com.key;
server_name <website>.com www.<website>.com;
root /var/www/sarahcorballis.com/;
index index.html;
try_files $uri $uri/ /index.html ;
client_max_body_size 50m;
}
如果您碰巧复制了上述块,则需要更改为您拥有的网站并确保后缀与您的网站相同。