重启 VPS 后,我注意到所有绑定到端口 80 和 443 的 nginx 主机都开始返回 ERR_CONNECTION_TIMED_OUT,并且没有新条目输出到 access.log
我简化了配置,但错误仍然可以重现:
server {
listen 80;
root /var/www/html;
access_log /var/www/html/logs/access.log;
error_log /var/www/html/logs/error.log;
index index.nginx-debian.html;
location / {
try_files $uri $uri/ /index.nginx-debian.html;
}
}
nginx -t 返回良好的结果:
[username removed]:/var/www/html/logs$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
如果我将端口从 80 更改为 20777,网站就会开始工作。将网站绑定到端口 80 时运行 lsof 将返回以下结果:
[username removed]:/var/www/html/logs$ sudo lsof -n -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gmsrv 1145 gabriel 14u IPv4 133782 0t0 TCP [IP removed]->[IP removed]:http (ESTABLISHED)
nginx 19124 root 13u IPv4 130469 0t0 TCP *:http (LISTEN)
nginx 19908 www-data 13u IPv4 130469 0t0 TCP *:http (LISTEN)
我使用 ufw 检查了我的防火墙设置,并确保端口 80 和 443 没有被阻止:
[username removed]:/var/www/html/logs$ sudo ufw status
Status: active
To Action From
-- ------ ----
Nginx Full ALLOW Anywhere
25 ALLOW Anywhere
587 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
110 ALLOW Anywhere
20505 ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
20777 ALLOW Anywhere
然而,运行在线端口扫描工具却告诉我端口 80 未打开:
我的主机提供商(OVH)提供的防火墙未启用,所以它也不应该阻止端口。
在端口 80 上运行 tcpdump,然后尝试从我的浏览器访问该站点,立即显示请求:
[username removed]:/etc/nginx/sites-enabled$ sudo tcpdump -vvXX -n port 80
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
11:29:50.652067 IP (tos 0x0, ttl 110, id 19322, offset 0, flags [DF], proto TCP (6), length 52)
[IP removed] > [IP removed].80: Flags [S], cksum 0x2b2b (correct), seq 3761772921, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: fa16 3e71 c70c 3aa2 64bf 3010 0800 4500 ..>q..:.d.0...E.
0x0010: 0034 4b7a 4000 6e06 90c8 9e81 134a 3625 [email protected]%
0x0020: 4891 1973 0050 e038 1979 0000 0000 8002 H..s.P.8.y......
0x0030: ffee 2b2b 0000 0204 05b4 0103 0308 0101 ..++............
0x0040: 0402 ..
11:29:50.902774 IP (tos 0x0, ttl 110, id 19324, offset 0, flags [DF], proto TCP (6), length 52)
[IP removed] > [IP removed].80: Flags [S], cksum 0x1b16 (correct), seq 2786550702, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: fa16 3e71 c70c 3aa2 64bf 3010 0800 4500 ..>q..:.d.0...E.
0x0010: 0034 4b7c 4000 6e06 90c6 9e81 134a 3625 .4K|@.n......J6%
0x0020: 4891 1974 0050 a617 63ae 0000 0000 8002 H..t.P..c.......
0x0030: ffee 1b16 0000 0204 05b4 0103 0308 0101 ................
0x0040: 0402 ..
11:29:51.652209 IP (tos 0x0, ttl 110, id 19326, offset 0, flags [DF], proto TCP (6), length 52)
[IP removed] > [IP removed].80: Flags [S], cksum 0x2b2b (correct), seq 3761772921, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: fa16 3e71 c70c 3aa2 64bf 3010 0800 4500 ..>q..:.d.0...E.
0x0010: 0034 4b7e 4000 6e06 90c4 9e81 134a 3625 [email protected]%
0x0020: 4891 1973 0050 e038 1979 0000 0000 8002 H..s.P.8.y......
0x0030: ffee 2b2b 0000 0204 05b4 0103 0308 0101 ..++............
0x0040: 0402 ..
11:29:51.903621 IP (tos 0x0, ttl 110, id 19328, offset 0, flags [DF], proto TCP (6), length 52)
[IP removed] > [IP removed].80: Flags [S], cksum 0x1b16 (correct), seq 2786550702, win 65518, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
0x0000: fa16 3e71 c70c 3aa2 64bf 3010 0800 4500 ..>q..:.d.0...E.
0x0010: 0034 4b80 4000 6e06 90c2 9e81 134a 3625 [email protected]%
0x0020: 4891 1974 0050 a617 63ae 0000 0000 8002 H..t.P..c.......
0x0030: ffee 1b16 0000 0204 05b4 0103 0308 0101 ................
0x0040: 0402
..
问题似乎不是来自主机提供商方面。访问网站时,我使用了服务器的 IP 地址,因此问题似乎与 DNS 无关。
我需要帮助弄清楚是什么阻止了 nginx 从端口 80 和 443 提供内容。
我还尝试过其他方法:
- 重启 nginx 服务
- 重新安装 nginx
编辑:发布结果iptables-保存按照要求:
[username removed]:/var/www/html/logs$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Wed Jul 6 12:35:42 2022
*filter
:INPUT DROP [107173:5607638]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [112:5566]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eth0 -p tcp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eth0 -p udp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A INPUT -s [IP removed]/32 -i eth0 -p icmp -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d [IP removed]/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d [IP removed]/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 27182 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 27182 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22005 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22003 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22126 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 20080 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 20080 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 20777 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 20777 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
答案1
使用以下解决方案修复:https://unix.stackexchange.com/a/247952/532896
虽然我仍不确定是什么原因导致端口 80 和 443 的 iptables 规则消失而 UFW 规则仍然存在。