我家里有一台运行 Ubuntu 22.02 的 LEMP 服务器和一台运行 Ubuntu 20.04 的 Oracle 云实例。Oracle 云实例充当 Wireguard 服务器。家里的 LEMP 服务器充当 Wireguard 客户端,并通过 Oracle 服务器进行隧道传输,以获取与我家 IP 地址不同的 IP 地址。我已按以下方式设置了此 Wireguard 客户端/服务器配置这个 Linuxbabe.com 教程。wireguard 客户端已启动并运行,可以成功 ping 通 Oracle 服务器。LEMP 服务器(Wireguard 客户端)也成功解析为 Oracle 服务器公共 IP 地址。我还在 VPN 客户端上安装了 openresolv,在 VPN 服务器上安装了 bind9,以使用来自 LEMP 服务器(Wireguard 客户端)的 Oracle 实例 DNS。我的域名注册商将其 DNS 指向与我的 Oracle 服务器相同的 IP。现在,我尝试在 LEMP 服务器上安装 prosody,但无法通过 certbot nginx 插件获取证书。似乎有什么东西阻塞了端口 80/443,并且端口 80/443 未打开。当我(在我的 LEMP 服务器上)运行以下命令时:
sudo certbot -v --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d chat.example.com
我收到以下错误输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for chat.example.com
Performing the following challenges:
http-01 challenge for chat.example.com
Waiting for verification...
Challenge failed for domain chat.example.com
http-01 challenge for chat.example.com
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: chat.example.com
Type: connection
Detail: 150.136.56.232: Fetching http://chat.example.com/.well-known/acme-challenge/GlzBhvxB_hDYefMW48qaHq3I-qc_NArj7VWml54bofM: Connection refused
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
我使用 UFW 作为防火墙,并且 LEMP 服务器(VPN 客户端)上的 UFW 状态是:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN my.local.lan.ip/24
[ 2] 43211/tcp ALLOW IN my.local.lan.ip/24
[ 3] 5222,5269/tcp ALLOW IN Anywhere
[ 4] 80,443/tcp ALLOW IN Anywhere
[ 5] 5222,5269/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 80,443/tcp (v6) ALLOW IN Anywhere (v6)
我在 Oracle 云实例上的 UFW 状态是:
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 10.10.10.0/24
[ 2] 22/tcp ALLOW IN my.home.public.ip
[ 3] 22/tcp ALLOW IN my.work.public.ip
[ 4] 5222,5269/tcp ALLOW IN Anywhere
[ 5] 51820/udp ALLOW IN my.home.public.ip
[ 6] 80,443/tcp ALLOW IN Anywhere
[ 7] 5222,5269/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] 80,443/tcp (v6) ALLOW IN Anywhere (v6)
端口 51820/udp 是 Oracle 实例和 Lemp 服务器的 wireguard 端口。我还将 Oracle 实例上的公共 IP 地址转发到 VPN 客户端,以便客户端可以在 Oracle 实例使用的同一公共端口上发送和接收。下面是我的 /etc/ufw/before.rules 文件。我所做的端口转发修改位于标题为“Linuxbabe...”的评论下。
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
## Linuxbabe tutorial
# allow forwarding for trusted network
-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
### Linuxbabe - UFW Tutorial
## NAT table rules
*nat
# Nat Pre-Routing
:PREROUTING ACCEPT [0:0]
# !Http! Forward oracle.server.public.ip (Server Public IP) TCP port 80 to 10.10.10.2:80 (VPN Client IP)
-A PREROUTING -i ens3 -d oracle.server.public.ip -p tcp --dport 80 -j DNAT --to-destination 10.10.10.2:80
# !HTTPS! Forward oracle.server.public.ip (Server Public IP) TCP port 443 to 10.10.10.2:443 (VPN Client IP)
-A PREROUTING -i ens3 -d oracle.server.public.ip -p tcp --dport 443 -j DNAT --to-destination 10.10.10.2:443
# !PROSODY-5222! Forward oracle.server.public.ip (Server Public IP) TCP port 5222 to 10.10.10.2:5222 (VPN Client IP)
-A PREROUTING -i ens3 -d oracle.server.public.ip -p tcp --dport 5222 -j DNAT --to-destination 10.10.10.2:5222
# !PROSODY-5269! Forward oracle.server.public.ip (Server Public IP) TCP port 5269 to 10.10.10.2:5269 (VPN Client IP)
-A PREROUTING -i ens3 -d oracle.server.public.ip -p tcp --dport 5269 -j DNAT --to-destination 10.10.10.2:5269
# !PROSODY-BOSH-5280! Forward oracle.server.public.ip (Server Public IP) TCP port 5280 to 10.10.10.2:5280 (VPN Client IP)
-A PREROUTING -i ens3 -d oracle.server.public.ip -p tcp --dport 5280 -j DNAT --to-destination 10.10.10.2:5280
# !PROSODY-BOSH-5281! Forward oracle.server.public.ip (Server Public IP) TCP port 5281 to 10.10.10.2:5281 (VPN Client IP)
-A PREROUTING -i ens3 -d oracle.server.public.ip -p tcp --dport 5281 -j DNAT --to-destination 10.10.10.2:5281
COMMIT
### Linuxbabe - Wireguard Tutorial
# Nat Postrouting
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE
# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT
我/etc/nginx/nginx.conf
在 LEMP 服务器(wireguard 客户端)上的文件如下所示:
#user nginx;
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
我/etc/nginx/conf.d/prosody.conf
在 LEMP 服务器(VPN 客户端)上的文件如下所示:
server {
listen 80;
listen [::]:80;
server_name chat.example.com;
root /var/www/prosody/;
location ~ /.well-known/acme-challenge {
allow all;
}
}
net.ipv4.ip_forward = 1
最后,我通过取消注释该行来启用 Oracle 服务器上的 IP 转发/etc/sysctl.conf
。
完成所有这些操作后,我的 LEMP 服务器似乎成功使用了 Oracle 实例的 VPN 服务器隧道,但是,它仍然无法使用 prosody.conf nginx 配置文件从 cerbot 获取证书。据我所知,根据我所做的所有研究,此设置(最重要的是 before.rules 中的 VPN 转发规则)应该可以成功允许我的 LEMP 服务器使用 Oracle 实例的 IP 地址获取证书。但事实并非如此!
所以我的问题是,我必须做什么来调试这个,是什么阻塞了我的 LEMP 服务器端口 80/443,我必须做什么才能使用我的 Oracle 实例的公共 IP 地址成功获取 prosody 的 certbot 证书?