Site HTTPS do Apache visível localmente, mas não remoto

1

Estou criando um novo servidor HTTPS que espero disponibilizar publicamente. Isso está no Ubuntu 16.04.

Estou com dificuldades porque o site não pode ser visto remotamente. Configurei corretamente o roteador que permite o acesso ao servidor apropriado e, de fato, os logs UFW do servidor parecem mostrar que as solicitações entram, mas estão bloqueadas:

Mar  5 07:07:18 oc9 kernel: [35729.338614] [UFW BLOCK] IN=ens32 OUT= MAC=00:0c:29:53:67:c0:2c:56:dc:54:96:a8:08:00 SRC=192.168.158.175 DST=192.168.158.64 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52285 DF PROTO=TCP SPT=47801 DPT=515 WINDOW=5840 RES=0x00 SYN URGP=0
Mar  5 07:08:01 oc9 kernel: [35772.752517] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Mar  5 07:08:56 oc9 kernel: [35827.268215] [UFW BLOCK] IN=ens33 OUT= MAC=01:00:5e:00:00:01:40:b7:f3:dd:a5:40:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  5 07:10:06 oc9 kernel: [35897.823432] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2

Estou usando o UFW e seu status é:

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

A última coisa que eu sei incluir aqui é a saída do iptables -vL, mas eu não sei o que estou vendo aqui.

Chain INPUT (policy DROP 835 packets, 34384 bytes)
 pkts bytes target     prot opt in     out     source               destination
57949 3365K ufw-before-logging-input  all  --  any    any     anywhere             anywhere
57949 3365K ufw-before-input  all  --  any    any     anywhere             anywhere
53255 2900K ufw-after-input  all  --  any    any     anywhere             anywhere
  835 34384 ufw-after-logging-input  all  --  any    any     anywhere             anywhere
  835 34384 ufw-reject-input  all  --  any    any     anywhere             anywhere
  835 34384 ufw-track-input  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere
    0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere
    0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere
    0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere
    0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere
    0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3514  644K ufw-before-logging-output  all  --  any    any     anywhere             anywhere
 3514  644K ufw-before-output  all  --  any    any     anywhere             anywhere
   75  5592 ufw-after-output  all  --  any    any     anywhere             anywhere
   75  5592 ufw-after-logging-output  all  --  any    any     anywhere             anywhere
   75  5592 ufw-reject-output  all  --  any    any     anywhere             anywhere
   75  5592 ufw-track-output  all  --  any    any     anywhere             anywhere

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  772 60972 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
  879  215K ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
  203 12180 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
   19  7798 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
50547 2570K ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  835 34384 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ufw-user-forward  all  --  any    any     anywhere             anywhere

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  160 11840 ACCEPT     all  --  lo     any     anywhere             anywhere
 4481  448K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    1    40 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    1    40 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    3   252 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    4  1312 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
53300 2903K ufw-not-local  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
53300 2903K ufw-user-input  all  --  any    any     anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  160 11840 ACCEPT     all  --  any    lo      anywhere             anywhere
 3279  627K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   75  5592 ufw-user-output  all  --  any    any     anywhere             anywhere

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 RETURN     all  --  any    any     anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination
  587 36448 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
  564 18056 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
52149 2848K RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination
52420 2866K DROP       all  --  any    any     anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   16   960 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
   59  4632 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   43  2532 ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https /* 'dapp_Apache%20Full' */
    2   104 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh /* 'dapp_OpenSSH' */

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Esta é a saída de "ss -ltnp": State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:3306 : users:(("mysqld",pid=1594,fd=16)) LISTEN 0 128 *:22 : users:(("sshd",pid=1285,fd=3)) LISTEN 0 128 :::80 :::* users:(("apache2",pid=1947,fd=4),("apache2",pid=1944,fd=4),("apache2",pid=1943,fd=4),("apache2",pid=1942,fd=4),("apache2",pid=1941,fd=4),("apache2",pid=1940,fd=4),("apache2",pid=1937,fd=4)) LISTEN 0 128 :::22 :::* users:(("sshd",pid=1285,fd=4)) LISTEN 0 128 :::443 :::* users:(("apache2",pid=1947,fd=6),("apache2",pid=1944,fd=6),("apache2",pid=1943,fd=6),("apache2",pid=1942,fd=6),("apache2",pid=1941,fd=6),("apache2",pid=1940,fd=6),("apache2",pid=1937,fd=6))

Esta é a saída de "openssl s_client -connect 192.168.158.158:443:

openssl s_client -connect 192.168.158.158:443 CONNECTED(00000003) depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] i:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIID6TCCAtGgAwIBAgIJANpH0YKSCE+FMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD et cetera q3jJ5FRjd6cWaPKJ25UeMdKJCbpCnmlLadMy3oSDTfqk3UTymhUiJhIgm9S2 -----END CERTIFICATE----- subject=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] issuer=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1517 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: AAC21087FEAB3ED0D391F3C5AF78FCCF717AE456D107591B7B9FDADD03E44D4C Session-ID-ctx: Master-Key: 9FA0F50D914170495DCEDFE73AEA1AFDC86491C814F582794C4D55C2265EDC1415A57ADC282992ADF5DC6AF4161F6D19 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1488762616 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---

O que eu posso verificar para ver onde isso deu errado?

    
por Dennis 05.03.2017 / 13:23

2 respostas

1

Na saída do iptables, o que você está procurando está na cadeia ufw-user-input

A primeira linha ativa as portas 80 e 443, onde é exibido multiport dports http,https

Acho que você está interpretando mal os logs do ufw. onde você vê DST=224.0.0.1 significa o firewall bloquear multicast, e na primeira linha você pode ver DPT=515 o que significa porta de destino é 515 e não 443.

Para garantir que o firewall não bloqueie você, você pode tentar executar no host remoto telnet $HTTP_SERVER 443 . Se você está sendo bloqueado, você deve imediatamente recusar a conexão, porque sua política básica é deny

    
por 05.03.2017 / 14:46
0

Acontece que, com uma alteração feita pela AT & T em seu firmware, o roteador NVG589 não direcionará o tráfego de NAT / jogos para um novo endereço derivado de DHCP. Se você tivesse um endereço dinâmico especificado no momento da atualização do firmware, parece que está tudo bem, mas quaisquer novos não serão honrados para passagem de porta. Não há nenhuma mensagem de erro, nenhum aviso, nenhuma indicação de por que não funcionará ou se está funcionando - e também não é possível ver o que o firewall está fazendo.

De qualquer forma, isso foi resolvido especificando um endereço IP fixo (no roteador) para o servidor e, em seguida, reconfigurando o protocolo HTTPS.

    
por 06.03.2017 / 14:28