尽管端口 443 已打开，但无法访问 https

Question

这是我第一次设置服务器，我刚刚安装了 SSL 证书。我还对 iptable 进行了一些更改以允许访问 443。以下是iptables -L的输出

target     prot opt source         destination
ACCEPT     all  --  anywhere       anywhere        state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:http
ACCEPT     icmp --  anywhere       anywhere
ACCEPT     all  --  anywhere       anywhere
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:smtp
ACCEPT     udp  --  anywhere       anywhere        state NEW udp dpt:smtp
ACCEPT     tcp  --  anywhere       anywhere        tcp dpt:urd
REJECT     all  --  anywhere       anywhere        reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:https

我还通过 ssh 进入服务器并从服务器本身运行 nmap 来检查 nmap。

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-15 15:31 SGT
Nmap scan report for <my.domain.ip>
Host is up (0.0000050s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
3005/tcp open  deslogin
3031/tcp open  epic

当我远程尝试 telnet [my.domain.ip] 443 时

Trying <my.domain.ip>...
telnet: connect to address <my.domain.ip>: Connection refused
telnet: Unable to connect to remote host

最后，我不知道 nginx.conf 是否起作用，但下面是域 ssl 的代码片段

#include /etc/nginx/conf.d/*.conf;

server {
    listen          <my.domain.ip>:80;
    server_name     mydomain.com www.mydomain.com;
    index           index.html index.htm index.py;
    access_log      /var/log/nginx/mydomain.com.log;
    error_log       /var/log/nginx/mydomain.log.error;
    root            /home/fr/;
    charset         utf-8;

    #error_page 500 502 503 504 /custom_50x.html;
    #location = /custom_50x.html {
    #        internal;
    #}

    location / {
        uwsgi_pass  <my.domain.ip>:3031;
        include     uwsgi_params;
    }

    location /static {
        root        /home/fr/env/FRuler/fruler/;
    }
}

### for ssl  ###
server {
    listen          <my.domain.ip>:80;
    server_name     mydomain.com www.mydomain.com;
    index           index.html index.htm index.py;
    access_log      /var/log/nginx/mydomain.com.log;
    error_log       /var/log/nginx/mydomain.log.error;
    root            /home/fr/;
    charset         utf-8;


    location / {
        uwsgi_pass  <my.domain.ip>:3031;
        include     uwsgi_params;
    }

    location /static {
        root        /home/fr/env/FRuler/fruler/;
    }
}

server {
    listen 443 ssl;
    server_name     mydomain.com www.mydomain.com;
    ssl on;
    ssl_certificate /etc/ssl/mydomain/ssl.crt;
    ssl_certificate_key /etc/ssl/mydomain/server.key;
    server_name mydomain www.mydomain.com;
    access_log  /var/log/nginx/mydomain.com.log;
    error_log   /var/log/nginx/mydomain.log.error;
    location / {
        root /home/fr/;
        index index.html;
    }
}
### end of ssl ###

任何帮助表示赞赏。

Answer 1

iptables 中的顺序很重要，规则是按顺序遍历的。

REJECT     all  --  anywhere       anywhere        reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere       anywhere        state NEW tcp dpt:https

拒绝所有内容后，将永远无法到达为 HTTPS 开放端口 443 的后续规则，并且不会产生任何效果。您的一般拒绝规则应该放在最后。