最近在 Oracle Cloud 上托管的 Apache 2.4/Ubuntu 20.04 上配置了 SSL,并且 https/port 443 的连接被拒绝。
外部设备:
$ curl simpliassure.com:443
curl: (7) Failed to connect to simpliassure.com port 443: Connection refused
$ curl simpliassure.com
(normal html content loads)
$ nmap -p 443 132.145.100.143
Host is up (0.024s latency).
PORT STATE SERVICE
443/tcp closed https
通过 ssh 进入服务器:
$ curl localhost
(normal html content loads)
$ curl localhost:443
(normal html content loads)
$ curl https://localhost
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
$ apachectl configtest
Syntax OK
$ sudo apache2ctl -S
VirtualHost configuration:
132.145.100.143:80 simpliassure.com (/etc/apache2/sites-enabled/default-ssl.conf:3)
132.145.100.143:443 simpliassure.com (/etc/apache2/sites-enabled/default-ssl.conf:14)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
$ ss -tupln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 10.0.0.29%ens3:68 0.0.0.0:*
udp UNCONN 0 0 [::]:111 [::]:*
tcp LISTEN 0 4096 0.0.0.0:111 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 4096 [::]:111 [::]:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 *:443 *:*
/etc/sites-available/default-ssl.conf
是唯一的符号链接/etc/sites-enabled/default-ssl.conf
/etc/sites-available/default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost 132.145.100.143:80>
ServerAdmin webmaster@localhost
ServerName simpliassure.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost 132.145.100.143:443>
ServerAdmin webmaster@localhost
ServerName simpliassure.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /home/ubuntu/certificate_bundle/www.simpliassure.com.crt
SSLCertificateKeyFile /home/ubuntu/certificate_bundle/www.simpliassure.com.key
SSLCertificateChainFile /home/ubuntu/certificate_bundle/www.simpliassure.com_intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
/etc/apache2/ports.conf:
Listen 80
Listen 443
Ubuntu 的 ufw 处于非活动状态。运行...
$ sudo ufw allow https
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo a2ensite default-ssl
$ sudo systemctl restart apache2
...没有运气。
Oracle 虚拟云网络入口规则:
有任何想法吗?
答案1
检查您的 Oracle 防火墙;如果端口 443 未打开,请打开它。
检查你的 ufw 防火墙;以 root 身份运行:ufw allow https
答案2
从外部运行“nmap -p 443 132.145.100.143”以验证端口是否打开/过滤。检查系统上的所有防火墙,而不仅仅是 UFW。
答案3
curl 上明显有错误,似乎您的证书有问题。请检查您针对服务器为证书分配的主机名。此外,在执行证书时,请确保使用 subjectaltnames,以便它能够捕获主机名、fqdn 以及(如果需要)ip(具体取决于您的需要)。
答案4
我认为您需要将端口 80 重定向到端口 443。
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>