托管在远程机器上的我的网站(Django / nginx / gunicorn / mysql)正常运行,直到出于某种原因我决定重新启动远程机器为止。因此,重新启动后,在远程框中,当我说curl -IL -H -GET my.web.address
时,它可以正常工作。但是,当我从外面尝试相同的命令时,它报告curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address
。
感谢您的帮助。请在下面找到我检查过的相关内容。
我正在使用CentOS 7系统。我主要使用this tutorial
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3425/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3425/nginx: master
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (SSH) ALLOW IN Anywhere
224.0.0.251 5353/udp (mDNS) ALLOW IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (SSH (v6)) ALLOW IN Anywhere (v6)
ff02::fb 5353/udp (mDNS) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
SELinux status: disabled
nmap
的输出以检查端口状态nmap -sT my.ip.address
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
nginx.conf
的内容user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
nginx.conf
的服务器块server {
server_name my.ip.address my.web.address;
error_log /srv/www/myweb/logs/error.log;
access_log /srv/www/myweb/logs/access.log;
charset utf-8;
location /static/{
alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/;
}
location /{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my.ip.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = my.web.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name my.ip.address my.web.address;
return 404; # managed by Certbot
}
我已经检查了我的袜子文件权限,它们已经由相应的用户正确旋转。文件权限设置正确。
gunicorn.service
文件的内容[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=user
Group=nginx
WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src
ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application
[Install]
WantedBy=multi-user.target
同时,为确保我的问题与Lets加密服务器证书无关,我在nginx.conf
中进行了更改,使其仅适用于HTTP。
下面是我在远程机器上运行它时的curl -IL -GET my.domain.name
输出:
HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Fri, 06 Mar 2020 08:26:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7918
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
使用IP地址运行时,我得到与上述相同的输出。
[从笔记本电脑上卷曲时,我得到curl: (52) Empty reply from server
作为响应,同时包含域名和IP地址。
我从笔记本电脑ping服务器(使用IP和域名),然后它们发送/接收数据包。域名已正确映射到IP。我还使用nslookup
由于我禁用了HTTPS,所以TLS版本没有关系,不是吗?
此外,我使用ufw禁用了防火墙。我查了iptables -L
规则。我是该领域的新手,但对我来说,远程服务器的结果似乎旨在接受任何传入的连接。
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
因此问题已解决!
问题是,以某种方式,UFW规则没有更新iptables条目以允许端口80/443。
我通过以下命令手动对其进行了修改。
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT