Estou criando um novo servidor HTTPS que espero disponibilizar publicamente. Isso está no Ubuntu 16.04.
Estou com dificuldades porque o site não pode ser visto remotamente. Configurei corretamente o roteador que permite o acesso ao servidor apropriado e, de fato, os logs UFW do servidor parecem mostrar que as solicitações entram, mas estão bloqueadas:
Mar 5 07:07:18 oc9 kernel: [35729.338614] [UFW BLOCK] IN=ens32 OUT= MAC=00:0c:29:53:67:c0:2c:56:dc:54:96:a8:08:00 SRC=192.168.158.175 DST=192.168.158.64 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52285 DF PROTO=TCP SPT=47801 DPT=515 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 5 07:08:01 oc9 kernel: [35772.752517] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Mar 5 07:08:56 oc9 kernel: [35827.268215] [UFW BLOCK] IN=ens33 OUT= MAC=01:00:5e:00:00:01:40:b7:f3:dd:a5:40:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar 5 07:10:06 oc9 kernel: [35897.823432] [UFW BLOCK] IN=ens32 OUT= MAC=01:00:5e:00:00:01:94:44:52:ec:8c:2d:08:00 SRC=192.168.158.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Estou usando o UFW e seu status é:
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80,443/tcp (Apache Full) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
A última coisa que eu sei incluir aqui é a saída do iptables -vL, mas eu não sei o que estou vendo aqui.
Chain INPUT (policy DROP 835 packets, 34384 bytes)
pkts bytes target prot opt in out source destination
57949 3365K ufw-before-logging-input all -- any any anywhere anywhere
57949 3365K ufw-before-input all -- any any anywhere anywhere
53255 2900K ufw-after-input all -- any any anywhere anywhere
835 34384 ufw-after-logging-input all -- any any anywhere anywhere
835 34384 ufw-reject-input all -- any any anywhere anywhere
835 34384 ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- any any anywhere anywhere
0 0 ufw-before-forward all -- any any anywhere anywhere
0 0 ufw-after-forward all -- any any anywhere anywhere
0 0 ufw-after-logging-forward all -- any any anywhere anywhere
0 0 ufw-reject-forward all -- any any anywhere anywhere
0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3514 644K ufw-before-logging-output all -- any any anywhere anywhere
3514 644K ufw-before-output all -- any any anywhere anywhere
75 5592 ufw-after-output all -- any any anywhere anywhere
75 5592 ufw-after-logging-output all -- any any anywhere anywhere
75 5592 ufw-reject-output all -- any any anywhere anywhere
75 5592 ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
772 60972 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
879 215K ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
203 12180 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
19 7798 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
50547 2570K ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
835 34384 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
160 11840 ACCEPT all -- lo any anywhere anywhere
4481 448K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
1 40 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
1 40 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
3 252 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
4 1312 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
53300 2903K ufw-not-local all -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
53300 2903K ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
160 11840 ACCEPT all -- any lo anywhere anywhere
3279 627K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
75 5592 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
1 40 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
587 36448 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
564 18056 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
52149 2848K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
52420 2866K DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
16 960 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
59 4632 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
43 2532 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https /* 'dapp_Apache%20Full' */
2 104 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Esta é a saída de "ss -ltnp":
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:3306 : users:(("mysqld",pid=1594,fd=16))
LISTEN 0 128 *:22 : users:(("sshd",pid=1285,fd=3))
LISTEN 0 128 :::80 :::* users:(("apache2",pid=1947,fd=4),("apache2",pid=1944,fd=4),("apache2",pid=1943,fd=4),("apache2",pid=1942,fd=4),("apache2",pid=1941,fd=4),("apache2",pid=1940,fd=4),("apache2",pid=1937,fd=4))
LISTEN 0 128 :::22 :::* users:(("sshd",pid=1285,fd=4))
LISTEN 0 128 :::443 :::* users:(("apache2",pid=1947,fd=6),("apache2",pid=1944,fd=6),("apache2",pid=1943,fd=6),("apache2",pid=1942,fd=6),("apache2",pid=1941,fd=6),("apache2",pid=1940,fd=6),("apache2",pid=1937,fd=6))
Esta é a saída de "openssl s_client -connect 192.168.158.158:443:
openssl s_client -connect 192.168.158.158:443
CONNECTED(00000003)
depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = State, L = City, O = LuvSoft, CN = site.domain.com, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
i:/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIJANpH0YKSCE+FMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD
et cetera
q3jJ5FRjd6cWaPKJ25UeMdKJCbpCnmlLadMy3oSDTfqk3UTymhUiJhIgm9S2
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
issuer=/C=US/ST=State/L=City/O=LuvSoft/CN=site.domain.com/[email protected]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1517 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: AAC21087FEAB3ED0D391F3C5AF78FCCF717AE456D107591B7B9FDADD03E44D4C
Session-ID-ctx:
Master-Key: 9FA0F50D914170495DCEDFE73AEA1AFDC86491C814F582794C4D55C2265EDC1415A57ADC282992ADF5DC6AF4161F6D19
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1488762616
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
O que eu posso verificar para ver onde isso deu errado?