如果服务器没有 AAAA 记录,EC2 出站请求将采用 IPv6 格式,从而导致连接超时

如果服务器没有 AAAA 记录,EC2 出站请求将采用 IPv6 格式,从而导致连接超时

我创建了一个 AWS VPC 和安全组,其中包含必要的出站规则以及到 IPv4 和 IPv6 互联网网关的路由。我创建了一个自动扩展组,但重要的是我有一个可以wget https://google.com正常运行的 Ubuntu 22 EC2 实例:

ubuntu@ip-10-0-0-0:~$ wget https://google.com
--2023-03-20 20:43:26--  https://google.com/
Resolving google.com (google.com)... 2607:f8b0:4004:c06::66, 2607:f8b0:4004:c06::64, 2607:f8b0:4004:c06::8b, ...
Connecting to google.com (google.com)|2607:f8b0:4004:c06::66|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/ [following]
--2023-03-20 20:43:27--  https://www.google.com/
Resolving www.google.com (www.google.com)... 2607:f8b0:4004:c1b::69, 2607:f8b0:4004:c1b::67, 2607:f8b0:4004:c1b::93, ...
Connecting to www.google.com (www.google.com)|2607:f8b0:4004:c1b::69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.4’

index.html.4                        [ <=>                                                 ]  13.90K  --.-KB/s    in 0s      

2023-03-20 20:43:27 (184 MB/s) - ‘index.html.4’ saved [14231]

但它无法连接到没有 AAAA 记录的网站或接受 IPv6 的网站(如 stackoverflow):https://ready.chair6.net/?url=https%3A%2F%2Fstackoverflow.com

它只是挂起:

wget https://stackoverflow.com
--2023-03-20 20:45:40--  https://stackoverflow.com/
Resolving stackoverflow.com (stackoverflow.com)... 64:ff9b::9765:4145, 64:ff9b::9765:145, 64:ff9b::9765:c145, ...
Connecting to stackoverflow.com (stackoverflow.com)|64:ff9b::9765:4145|:443... 

最终它会到达那里,但我不确定如何解决它?我觉得我已经涵盖了所有方面......(这个问题的原因是 AWS CodeDeploy 代理无法验证 SSL 证书;这是错误:

2023-03-20 19:44:32 INFO  [codedeploy-agent(13669)]: master 13669: Spawned child 1/1
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: On Premises config file does not exist or not readable
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:44:32 INFO  [codedeploy-agent(13671)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:44:33 INFO  [codedeploy-agent(13669)]: Started master 13669 with 1 children
2023-03-20 19:45:32 ERROR [codedeploy-agent(13671)]: InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControl: Error during certificate verification on codedeploy endpoint https://codedeploy-commands.us-east-1.amazonaws.com
2023-03-20 19:45:32 ERROR [codedeploy-agent(13671)]: Error validating the SSL configuration: Invalid server certificate
2023-03-20 19:45:32 ERROR [codedeploy-agent(13671)]: booting child: error during start or run: SystemExit - Stopping CodeDeploy agent due to SSL validation error. - /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `abort'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `validate'
/opt/codedeploy-agent/lib/instance_agent/agent/base.rb:11:in `runner'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:32:in `block in prepare_run'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:31:in `prepare_run'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:64:in `block in prepare_run_with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:63:in `prepare_run_with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:20:in `start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:206:in `block in spawn_child'

EC2 实例已分配公共 IPv4 地址和 IPv6 地址,并且位于公共子网中。有人知道可能出了什么问题吗?非常感谢 :)

  • 我正在考虑的其他选择是弄清楚如何完全禁用 IPv6 出站请求,同时仍然能够通过我的网络 + 应用程序负载均衡器接受 IPv6 入站请求。

答案1

这不是一个完整的答案,但我刚刚关闭了自动分配 IPv6 到我的公共子网并重新运行了 codedeploy

相关内容