V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
yozosann
V2EX  ›  问与答

已经获取到证书,也配置好了 nginx,并且也安装了 ssl 模块,重启后 443 接口没有启动?

  •  
  •   yozosann · 2018-05-16 17:26:57 +08:00 · 6180 次点击
    这是一个创建于 2408 天前的主题,其中的信息可能已经有所发展或是发生改变。

    以下是我的 nginx 配置 ,证书从腾讯云那里申请的,搞了两天了 也不知道为什么一直不行。。。

    #user  nobody;
    worker_processes  1;
    
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    
    #pid        logs/nginx.pid;
    
    
    events {
        worker_connections  1024;
    }
    
    
    http {
        include       mime.types;
        default_type  application/octet-stream;
    
        #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        #                  '$status $body_bytes_sent "$http_referer" '
        #                  '"$http_user_agent" "$http_x_forwarded_for"';
    
        #access_log  logs/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        #keepalive_timeout  0;
        keepalive_timeout  65;
    
        #gzip  on;
    
    
        server {
            listen       80;
            server_name xx.com  www.xx.com;
    
            #charset koi8-r;
    
            #access_log  logs/host.access.log  main;
    
            location / {
             proxy_pass http://127.0.0.1:9339;
            #root   /;
                #index  index.html index.htm;
            }
    
            #error_page  404              /404.html;
    
            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
    
            # proxy the PHP scripts to Apache listening on 127.0.0.1:80
            #
            #location ~ \.php$ {
            #    proxy_pass   http://127.0.0.1;
            #}
    
            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
            #
            #location ~ \.php$ {
            #    root           html;
            #    fastcgi_pass   127.0.0.1:9000;
            #    fastcgi_index  index.php;
            #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            #    include        fastcgi_params;
            #}
    
            # deny access to .htaccess files, if Apache's document root
            # concurs with nginx's one
            #
            #location ~ /\.ht {
            #    deny  all;
            #}
        }
    
    
        # another virtual host using mix of IP-, name-, and port-based configuration
        #
        server {
            listen       80;
        #    listen       somename:8080;
            server_name  myterm.xx.com;
    
            location / {
        #        root   html;
        #        index  index.html index.htm;
        proxy_pass  http://www.yozosann.com:8256/;
            }
        }
    
    
        # HTTPS server
        #
        server {
             listen       443;
             server_name  xx.com  www.xx.com;
    
             ssl                  on;
             ssl_certificate      /usr/local/nginx/ssl/www.xx.com-ca-bundle.crt;
             ssl_certificate_key  /usr/local/nginx/ssl/www.xx.com.key;
    
             ssl_session_timeout  5m;
    
             ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
             ssl_ciphers  HIGH:!aNULL:!MD5;
             ssl_prefer_server_ciphers   on;
    
            location / {
                 proxy_pass http://127.0.0.1:9339;
        #        root   html;
        #        index  index.html index.htm;
             }
         }
    
    }
    
    23 条回复    2018-09-28 14:51:55 +08:00
    titanium98118
        1
    titanium98118  
       2018-05-16 17:33:08 +08:00
    nginx -t 有报错吗?
    yozosann
        2
    yozosann  
    OP
       2018-05-16 17:44:24 +08:00
    @titanium98118 木有报错啊 很尴尬 看似一切都是正确的。。 但是 443 端口就是没有开
    yozosann
        3
    yozosann  
    OP
       2018-05-16 17:44:54 +08:00
    @titanium98118
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    yozosann
        4
    yozosann  
    OP
       2018-05-16 17:47:17 +08:00
    ```
    server {
    listen 443;
    server_name www.yozosann.com;

    ssl on;
    ssl_certificate 1_www.yozosann.com_bundle.crt;
    ssl_certificate_key 2_www.yozosann.com.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location / {
    proxy_pass http://127.0.0.1:9999;
    # root html;
    # index index.html index.htm;
    }
    }
    ```

    目前改成了这样还是没有用
    elsenow
        5
    elsenow  
       2018-05-16 17:48:20 +08:00
    防火墙是否放行了 443 端口?

    腾讯云控制台安全组是否放行了 443 端口?
    w274189159
        6
    w274189159  
       2018-05-16 17:48:51 +08:00
    @yozosann 看下 nginx 的日志
    elsenow
        7
    elsenow  
       2018-05-16 17:53:26 +08:00
    iMac:~ xxx$ telnet www.yozosann.com 443
    Trying 108.61.182.82...
    telnet: connect to address 108.61.182.82: Connection refused
    telnet: Unable to connect to remote host

    看了下,你这是 443 端口没放行吧?还没到 Nginx 端口这一步
    akira
        8
    akira  
       2018-05-16 18:09:07 +08:00
    errorlog 呢
    yozosann
        9
    yozosann  
    OP
       2018-05-16 18:19:00 +08:00
    @elsenow

    firewall-cmd --list-ports
    4200/tcp 9126/tcp 9126/udp 57575/tcp 38720/tcp 80/tcp 8756/tcp 3306/tcp 9123/udp 443/tcp

    433 放行了 没有启动
    will1916
        10
    will1916  
       2018-05-16 18:24:38 +08:00
    证书物理路径呢?
    yozosann
        11
    yozosann  
    OP
       2018-05-16 18:25:27 +08:00
    @w274189159
    2018/05/16 16:32:22 [notice] 12518#0: signal process started
    2018/05/16 16:32:22 [emerg] 9468#0: unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:105
    2018/05/16 16:37:27 [warn] 13122#0: invalid value "TLSv1.1" in /usr/local/nginx/conf/nginx.conf:111
    2018/05/16 17:15:17 [emerg] 20339#0: unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:105
    2018/05/16 17:17:12 [notice] 22994#0: signal process started
    2018/05/16 17:17:12 [emerg] 9468#0: unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:105
    2018/05/16 17:18:44 [notice] 23179#0: signal process started
    2018/05/16 17:18:44 [emerg] 9468#0: unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:105
    2018/05/16 17:20:30 [notice] 23412#0: signal process started
    2018/05/16 17:20:30 [emerg] 9468#0: unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:105
    2018/05/16 17:36:38 [emerg] 25334#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2018/05/16 17:36:38 [emerg] 25334#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2018/05/16 17:36:38 [emerg] 25334#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2018/05/16 17:36:38 [emerg] 25334#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2018/05/16 17:36:38 [emerg] 25334#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2018/05/16 17:36:38 [emerg] 25334#0: still could not bind()
    2018/05/16 18:24:15 [notice] 31318#0: signal process started
    yozosann
        12
    yozosann  
    OP
       2018-05-16 18:26:01 +08:00
    @will1916 物理路径就在 usr/local/nginx/conf 下
    will1916
        13
    will1916  
       2018-05-16 18:27:23 +08:00
    @yozosann
    不是要这样吗?
    ssl_certificate /usr/local/nginx/conf/1_www.yozosann.com_bundle.crt;
    ssl_certificate_key /usr/local/nginx/conf/2_www.yozosann.com.key;
    SirLostWhite
        14
    SirLostWhite  
       2018-05-16 18:29:19 +08:00
    unknown directive "ssl"
    你这 nginx 编译没有开 ssl 模块吧
    机器上有 openssl 吗?
    yozosann
        15
    yozosann  
    OP
       2018-05-16 19:06:17 +08:00
    @will1916 是了没有用
    yozosann
        16
    yozosann  
    OP
       2018-05-16 19:06:50 +08:00
    @SirLostWhite 这是之前的问题 已经解决啦 现在能成功运行 但是 443 仍然没有开
    mchl
        17
    mchl  
       2018-05-16 19:51:38 +08:00 via iPhone
    listen 443 ssl;
    shiny
        18
    shiny  
       2018-05-16 20:09:34 +08:00
    一般 https 网页打不开排查方式:
    1. netstat -ln 检查 443 是否有打开, 如果无:检查配置文件和错误日志。
    2. 服务器本机 curl 访问网址是否正常返回,如果无,检查防火墙和云服务器的安全规则是否放行。
    3. 本机检查到服务器是否连同,错误表现如何,比如 DNS 问题、端口未打开、服务器返回状态码不对,都有对应的处理方式。
    lianyue
        19
    lianyue  
       2018-05-16 20:27:54 +08:00
    server {
    listen 80;
    listen 443 ssl;
    server_name xx.com www.xx.com;

    ssl_certificate /usr/local/nginx/ssl/www.xx.com-ca-bundle.crt;
    ssl_certificate_key /usr/local/nginx/ssl/www.xx.com.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    #charset koi8-r;

    #access_log logs/host.access.log main;

    location / {
    proxy_pass http://127.0.0.1:9339;
    #root /;
    #index index.html index.htm;
    }

    #error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    root html;
    }
    }
    cmllwxxl
        20
    cmllwxxl  
       2018-05-17 09:56:25 +08:00
    腾讯云的服务器,看下安全组开了没,之前也是,弄半天,最后腾讯云的安全组没开 443
    yozosann
        21
    yozosann  
    OP
       2018-05-17 11:06:19 +08:00
    @shiny
    1. 443 没有卡,查看日志没有报错
    2. 查看了防火墙已经放行了
    mxywxwk
        22
    mxywxwk  
       2018-09-28 14:47:20 +08:00
    遇到同样的问题,不知楼主解决没有
    mxywxwk
        23
    mxywxwk  
       2018-09-28 14:51:55 +08:00
    我是用的阿里云的服务器,有两个。其中一个配置成功了,可以用 https 访问,同样的方法另一台就不行了。netstat 查看看 nginx 也没有监听着 443。成功的 nginx 用的 1.13.7,失败的用的 1.8.0.
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1394 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 23:51 · PVG 07:51 · LAX 15:51 · JFK 18:51
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.