我刚刚使用 chef 在 Ubuntu(aws)上安装了 apache2。
Ubuntu 服务器上的 Apache2:10.1.1.1
客户端:10.1.1.200
我还验证了 tcp 22(sshd)和 tcp 80(apache2)都在监听
root@Ubuntu:/var/www# netstat -anp | egrep '22|80'
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1469/sshd
tcp6 0 0 :::80 :::* LISTEN 16950/apache2
tcp6 0 0 :::22 :::* LISTEN 1469/sshd
root@Ubuntu:/var/www#
流程看起来也不错
root@Ubuntu:/var/www# ps -ef | egrep 'apache2|sshd'
root 1469 1 0 Sep29 ? 00:00:00 /usr/sbin/sshd -D
root 16950 1 0 Sep29 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 16953 16950 0 Sep29 ? 00:00:02 /usr/sbin/apache2 -k start
www-data 16954 16950 0 Sep29 ? 00:00:02 /usr/sbin/apache2 -k start
root@Ubuntu:/var/www#
服务也照常运行
root@Ubuntu:/var/www# service apache2 status
● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: active (running) since Fri 2017-09-29 23:36:49 UTC; 2h 13min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 55
Memory: 6.5M
CPU: 4.637s
CGroup: /system.slice/apache2.service
├─16950 /usr/sbin/apache2 -k start
├─16953 /usr/sbin/apache2 -k start
└─16954 /usr/sbin/apache2 -k start
Sep 29 23:36:47 Ubuntu systemd[1]: Starting LSB: Apache2 web server...
Sep 29 23:36:47 Ubuntu apache2[16933]: * Starting Apache httpd web server apache2
Sep 29 23:36:48 Ubuntu apache2[16933]: AH00557: apache2: apr_sockaddr_info_get() failed for Ubuntu
Sep 29 23:36:48 Ubuntu apache2[16933]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the '
Sep 29 23:36:49 Ubuntu apache2[16933]: *
Sep 29 23:36:49 Ubuntu systemd[1]: Started LSB: Apache2 web server.
root@Ubuntu:/var/www#
但是,当我尝试通过 远程访问服务器时http://10.1.1.1
,什么也没有发生。在同一台服务器上使用 ssh 时,我没有遇到此问题。
我在尝试从远程访问 Web 服务器时也运行了 tcpdump,但没有看到任何内容
客户端测试
[root@Client]# curl 10.1.1.1:80
curl: (7) Failed connect to 10.1.1.1:80; Connection timed out
[root@Client]#
但在服务器上什么也没看到
root@Ubuntu:/var/www# tcpdump -nni eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@Ubuntu:/var/www#
但是,当我尝试使用 ssh 执行同样操作时,我能够远程访问它,并且可以按预期在 tcpdump 上看到流量。
[root@Client]# curl 10.1.1.1:22
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
curl: (56) Recv failure: Connection reset by peer
[root@Client]#
ssh 上的 tcpdump
root@Ubuntu:/var/www# tcpdump -nni eth0 port 22 and host 10.1.1.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:03:04.320761 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [S], seq 1658944714, win 26883, options [mss 8961,sackOK,TS val 52461068 ecr 0,nop,wscale 7], length 0
02:03:04.320923 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [S.], seq 2270168630, ack 1658944715, win 26847, options [mss 8961,sackOK,TS val 13211819 ecr 52461068,nop,wscale 7], length 0
02:03:04.321264 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [.], ack 1, win 211, options [nop,nop,TS val 52461069 ecr 13211819], length 0
02:03:04.321287 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [P.], seq 1:80, ack 1, win 211, options [nop,nop,TS val 52461069 ecr 13211819], length 79
02:03:04.321293 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [.], ack 80, win 210, options [nop,nop,TS val 13211819 ecr 52461069], length 0
02:03:04.326160 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [P.], seq 1:42, ack 80, win 210, options [nop,nop,TS val 13211821 ecr 52461069], length 41
02:03:04.326683 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [R.], seq 42, ack 80, win 210, options [nop,nop,TS val 13211821 ecr 52461069], length 0
02:03:04.326899 IP 10.1.1.200.35890 > 10.1.1.1.22: Flags [.], ack 42, win 211, options [nop,nop,TS val 52461075 ecr 13211821], length 0
02:03:04.326911 IP 10.1.1.1.22 > 10.1.1.200.35890: Flags [R], seq 2270168672, win 0, length 0
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
root@Ubuntu:/var/www#
更新:iptables 输出
此外,此框安装在 aws 上
root@Ubuntu:~# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@Ubuntu:~#
答案1
Apache 正在监听 IPv6,而不是 IPv4:
tcp6 0 0 :::80 :::* LISTEN 16950/apache2
tcp6
和:::80
都是 Apache 正在监听 IPv6 而不是 v4 的线索(否则将是tcp
和0.0.0.0:80
其他情况)。
这个问题有很多解决方案。可能最好的方法是告诉 Apache 明确监听 IPv4。将您的Listen
指令从以下内容更改为:
Listen 80
到:
Listen 0.0.0.0:80
答案2
感谢大家的反馈。显然,AWS 仅为此连接打开 ssh (tcp22)。
一旦 aws 上允许 http(tcp80),我就可以远程访问这个框。
我知道有什么东西阻塞了,因为 nmap 显示在 tcp80 上过滤并在 tcp22 上打开,但那时根本不知道它是 aws。
前
Nmap scan report for 10.1.1.1
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp filtered http nginx 1.10.3 (Ubuntu)
后
Nmap scan report for 10.1.1.1
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.10.3 (Ubuntu)