0

我在 CentOS 7 上的 AWS EC2 上

已分配弹性 IP 地址和所有适当的适配器。

安全组:端口 80 和 443(以及 8083/8084)对所有入站流量(IP4 和 IP6)开放。所有端口都对出站流量(IP4 和 IP6)开放。

我可以使用经过身份验证的用户通过 SSH 连接到服务器。我可以 ping 实例弹性 IP 地址以及 AWS 提供的外部公共 IPv4 DNS。

netstat -tulpan | egrep ':80|:443'显示:

tcp        0      0 [LOCAL IP REDACTED]:80          0.0.0.0:*            LISTEN      1142/nginx: master  
tcp        0      0 0.0.0.0:8083                    0.0.0.0:*            LISTEN      1563/nginx: master  
tcp        0      0 127.0.0.1:8084                  0.0.0.0:*            LISTEN      1142/nginx: master  
tcp        0      0 [LOCAL IP REDACTED]:443         0.0.0.0:*            LISTEN      1142/nginx: master

systemctl status nginx -l显示:

nginx.service - nginx - high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/nginx.service.d
           └─limits.conf
   Active: active (running) since Thu 2021-08-19 16:41:34 UTC; 14min ago
     Docs: http://nginx.org/en/docs/
  Process: 1081 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
 Main PID: 1142 (nginx)
   CGroup: /system.slice/nginx.service
           ├─1142 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.con
           ├─1144 nginx: worker process                   
           ├─1145 nginx: worker process                   
           └─1146 nginx: cache manager process            

Aug 19 16:41:34 ip-[LOCAL IP REDACTED].us-west-1.compute.internal systemd[1]: Starting nginx - high performance web server...
Aug 19 16:41:34 ip-[LOCAL IP REDACTED].us-west-1.compute.internal nginx[1081]: nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /home/[USER REDACTED]/conf/web/[URL REDACTED].nginx.ssl.conf:10
Aug 19 16:41:34 ip-[LOCAL IP REDACTED].us-west-1.compute.internal nginx[1081]: nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /home/[USER REDACTED]/conf/web/[URL REDACTED].nginx.ssl.conf:4
Aug 19 16:41:34 ip-[LOCAL IP REDACTED].us-west-1.compute.internal nginx[1081]: nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /home/[USER REDACTED]/conf/web/[URL REDACTED].nginx.ssl.conf:18
Aug 19 16:41:34 ip-[LOCAL IP REDACTED].us-west-1.compute.internal systemd[1]: Can't open PID file /var/run/nginx.pid (yet?) after start: No such file or directory
Aug 19 16:41:34 ip-[LOCAL IP REDACTED].us-west-1.compute.internal systemd[1]: Started nginx - high performance web server.

所说的部分Can't open PID file /var/run/nginx.pid (yet?) after start: No such file or directory有时会出现,但该文件存在并且对root. /var/run/符号链接到/run。我尝试更改要转到的 conf,/run/nginx.pid但它给出了相同的错误,只是它列出了更新的路径。

我正在使用一个名为 VestaCP 的服务器管理面板(不要问:-/),它在端口 8083 加载它自己的 nginx 版本(vesta-nginx)来管理服务器。它没有 SSL。

正常的 nginx 监听 80 和 443 并使用 SSL。两者都能够同时运行,并且已经运行了好几个月没有问题。过去有问题的时候,只有网站有问题,但现在,两个实例都只能在 EC2 实例重启后工作几分钟,然后给出 ERR_CONNECTION_TIMED_OUT。

当我重新启动或重新加载 nginx 和/或所有其他服务时,它们都显示为正在运行(除了cloud-final.service但我认为这对这个问题不是必需的),但无论如何都会给出错误。

我没有对服务器进行任何配置更改。它刚刚开始突然发生。

这是我的 VestaCP nginx.conf:

user                    [USER REDACTED];
worker_processes        1;
error_log               /usr/local/vesta/log/nginx-error.log;
pid                     /var/run/vesta-nginx.pid;

events {
        worker_connections  128;
        use                 epoll;
}

http {
    # Main settings
    sendfile                        on;
    tcp_nopush                      on;
    tcp_nodelay                     on;
    client_header_timeout           1m;
    client_body_timeout             3m;
    client_header_buffer_size       2k;
    client_body_buffer_size         256k;
    client_max_body_size            256m;
    large_client_header_buffers     4   8k;
    send_timeout                    30;
    keepalive_timeout               60 60;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;
    server_names_hash_max_size      512;
    server_names_hash_bucket_size   512;


    # Log format
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    access_log          /usr/local/vesta/log/nginx-access.log main;


    # SSL PCI Compliance
    ssl_protocols               TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers                 EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_session_cache           shared:SSL:10m;
    ssl_prefer_server_ciphers   on;


    # Mime settings
    include             /usr/local/vesta/nginx/conf/mime.types;
    default_type        application/octet-stream;


    # Compression
    gzip                on;
    gzip_comp_level     9;
    gzip_min_length     512;
    gzip_buffers        8 64k;
    gzip_types          text/plain text/css text/javascript
                        application/x-javascript application/javascript;
    gzip_proxied        any;

    # Proxy settings
    proxy_redirect      off;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header   Set-Cookie;
    proxy_connect_timeout   1000;
    proxy_send_timeout  1000;
    proxy_read_timeout  1000;
    proxy_buffers       32 4k;
    fastcgi_read_timeout 300;

    # Error pages
    error_page          403          /error/403.html;
    error_page          404          /error/404.html;
    error_page          502 503 504  /error/50x.html;


    # Vhost
    server {
        listen          8083;
        server_name     _;
        root            /usr/local/vesta/web;
        charset         utf-8;

        # Fix error "The plain HTTP request was sent to HTTPS port"
        error_page      497 https://$host:$server_port$request_uri;

        ssl                  on;
        ssl_certificate      /usr/local/vesta/ssl/certificate.crt;
        ssl_certificate_key  /usr/local/vesta/ssl/certificate.key;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;

        error_page      404     /error/404/index.html;
        error_page      403     /error/index.html;
        error_page      500     /error/index.html;
        location / {
            expires max;
            index   index.php;
        }

        location /error/ {
            expires max;
            index   index.html;
        }

        location /rrd/ {
            expires off;
            internal;
        }

        location /backup/ {
            root    /;
            internal;
        }

        location ~ \.php$ {
            include         /usr/local/vesta/nginx/conf/fastcgi_params;
            fastcgi_param   SCRIPT_FILENAME /usr/local/vesta/web/$fastcgi_script_name;
            fastcgi_param   QUERY_STRING    $query_string;
            fastcgi_pass    unix:/var/run/vesta-php.sock;
            fastcgi_intercept_errors        on;
            break;
        }
    }
}

nginx -t给我:

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /home/[USER REDACTED]/conf/web/[URL REDACTED].nginx.ssl.conf:10
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /home/[USER REDACTED]/conf/web/[URL REDACTED].nginx.ssl.conf:4
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /home/[USER REDACTED]/conf/web/[URL REDACTED].nginx.ssl.conf:18
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

iptables --list显示:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

似乎请求完全停止到达服务器,就像防火墙已经到位,但正如我打开的那样,安全组配置正确(由 AWS 可达性分析工具验证)并且没有二级防火墙到位。

有任何想法吗?我快死在这里

4

0 回答 0