技术解析

Ubuntu 上面 Nginx 配置了 https,死活无法访问,不知道啥问题
0
2021-07-21 05:18:04
idczone
[email protected]:/etc/nginx/conf.d# uname -a
Linux VM-0-10-ubuntu 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[email protected]:/etc/nginx/conf.d# pwd
/etc/nginx/conf.d
[email protected]:/etc/nginx/conf.d# cat default.conf 
server {
    listen 443 ssl;
    server_name  www.site.top;

    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
 
    ssl_certificate  /book/swb/site.top_bundle.crt;
    ssl_certificate_key  /book/swb/site.top.key;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm; 
    }

}

nginx 信息

[email protected]:/etc/nginx/conf.d# service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/nginx.service.d
           └─override.conf
   Active: active (running) since Sun 2021-07-18 10:24:26 CST; 2min 50s ago
     Docs: man:nginx(8)
  Process: 14799 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 14826 ExecStartPost=/bin/sleep 0.1 (code=exited, status=0/SUCCESS)
  Process: 14811 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 14800 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 14813 (nginx)
    Tasks: 3 (limit: 4464)
   CGroup: /system.slice/nginx.service
           ├─14813 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─14827 nginx: worker process
           └─14828 nginx: worker process

Jul 18 10:24:26 VM-0-10-ubuntu systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 18 10:24:26 VM-0-10-ubuntu systemd[1]: Started A high performance web server and a reverse proxy server.

无法访问具体定义一下? curl 输出什么? openssl s_client -connect 又输出什么?

部署在腾讯云上面,安全组 443 、80 端口是打开的。
系统上面防火墙是关闭的
telnet 127.0.0.1 的 443 可以成功
nginx 相关的端口状态
[email&netstat -tlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN 14813/nginx: master
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 14813/nginx: master
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN 965/systemd-resolve
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 2228/sshd
tcp6 0 0 [:::8001 [:::* LISTEN 12614/java
tcp6 0 0 [:::8008 [:::* LISTEN 12570/java
tcp6 0 0 [:::http [:::* LISTEN 14813/nginx: master

curl localhost 可以访问

access.log 看看呢,请求有没有到 nginx

前几天刚好也在腾讯云上用了腾讯提供的免费 ssl,这是按照他们官网写的,我是直接修改的
```nginx
server {
listen 443 ssl;
root /var/www/hexo;
index index.html;
server_name site.top;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate /etc/nginx/conf.d/1_site.top_bundle.crt;
ssl_certificate_key /etc/nginx/conf.d/2_site.top.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
server {
listen 80;
server_name site.top;
return 301 https://$host$request_uri;
}
```

tail -f /var/log/nginx/access.log 查看这个文件,443 的请求监听不到,80 的就可以

感谢,我试试


好像还不行,访问 80 端口出现这个问题
```
[email&curl http://www.softwareborn.top

301 Moved Permanently

301 Moved Permanently



nginx/1.21.1



```
配置如下
```
server {
listen 80;
server_name site.top;
return 301 https://$host$request_uri;
}
```

server_name www.site.top;
你的网站名字是 www.site.top ???

腾讯管理后台"安全组 443 打开的"的截图贴出来看看

你在试图访问 www.softwareborn.top ,但是你的 servername 却是 www.site.top ?

ufw 443 放行了没

443 端口不通
$ curl -v https://www.softwarebor n.top/
* About to connect() to www.softwareborn.top port 4 43 (/>* Trying 49.235.242.113...
* Connection timed out
* Failed connect to www.softwareborn.top:443; Conne ction timed out
* Closing connection 0
curl: (7) Failed connect to www.softwareborn.top:44 3; Connection timed out

直接 ip:443 访问 试试
有条件的 nmap ip 下

你用别的端口试一下,前几天我弄华为云的 443 端口也是,死活找不到原因,最后换个端口就行了

conf.d ?
nginx 不是一直用 sites-enabled 的吗?还是说 Ubuntu 下不一样?

修改过配置文件后,执行 nginx -s reload 生效

你说的用法其实是从 apache 过来的,nginx 官方源安装后,默认用的 conf.d,如果用 Ubuntu 默认的源,的确是 sites-enabled 。

那就先在底层抓包吧,用 tcpdump 命令,抓 443 端口有没有报文来到服务器;
nginx 的 access 日志里,肯定看不到 https 字样,记录下来的都是请求内容,和你要求保存的字段信息

数据地带为您的网站提供全球顶级IDC资源
在线咨询
专属客服