[英]apache not accepting incoming connections from outside of localhost
I've booted up a CentOS server on rackspace and executed yum install httpd
'd.我已经在机架空间上启动了一个 CentOS 服务器并执行了
yum install httpd
'd。 Then services httpd start
.然后
services httpd start
。 So, just the barebones.所以,只是准系统。
I can access its IP address remotely over ssh (22) no problem, so there's no problem with the DNS or anything (I think...), but when I try to connect on port 80 (via a browser or something) I get connection refused.我可以通过 ssh (22) 远程访问它的 IP 地址没问题,所以 DNS 或任何东西都没有问题(我认为......),但是当我尝试连接端口 80(通过浏览器或其他东西)时,我得到连接被拒绝。
From localhost, however, I can use telnet (80), or even lynx on itself and get served with no problem.然而,从本地主机,我可以使用 telnet (80),甚至 lynx 本身,并且可以毫无问题地得到服务。 From outside (my house, my school, a local coffee shop, etc...), telnet connects on 22, but not 80.
从外面(我的房子、我的学校、当地的咖啡店等),telnet 连接到 22,但不是 80。
I use netstat -tulpn
(<- I'm not going to lie, I don't understand the -tulpn
part, but that's what the internet told me to do...) and see我使用
netstat -tulpn
(<- 我不会撒谎,我不明白-tulpn
部分,但这是互联网告诉我要做的......)然后看看
tcp 0 0 :::80 :::* LISTEN -
as I believe I should.我相信我应该这样做。 The
httpd.conf
says Listen 80
. httpd.conf
Listen 80
。
I have services httpd restart
'd many a time.我有很多次
services httpd restart
。
Honestly I have no idea what to do.老实说,我不知道该怎么做。 There is NO way that rackspace has a firewall on incoming port 80 requests.
机架空间在传入端口 80 请求上没有防火墙。 I feel like I'm missing something stupid, but I've booted up a barebones server twice now and have done the absolute minimum to get this functioning thinking I had mucked things up with my tinkering, but neither worked.
我觉得我错过了一些愚蠢的东西,但我现在已经启动了两次准系统服务器,并且已经做了绝对最少的事情来获得这个功能,认为我已经把事情搞砸了,但都没有奏效。
Any help is greatly appreciated!任何帮助是极大的赞赏! (And sorry for the long winded post...)
(对于冗长的帖子感到抱歉......)
Edit I was asked to post the output of iptables -L
.编辑我被要求发布
iptables -L
的输出。 So here it is:所以这里是:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
In case not solved yet.万一还没有解决。 Your iptables say:
你的 iptables 说:
state RELATED,ESTABLISHED
状态相关,已建立
Which means that it lets pass only connections already established... that's established by you, not by remote machines.这意味着它只允许通过已经建立的连接……这是由您建立的,而不是由远程机器建立的。 Then you can see exceptions to this in the next rules:
然后你可以在接下来的规则中看到例外情况:
state NEW tcp dpt:ssh
Which counts only for ssh, so you should add a similar rule/line for http, which you can do like this:这仅对 ssh 有效,因此您应该为 http 添加类似的规则/行,您可以这样做:
state NEW tcp dpt:80
Which you can do like this:你可以这样做:
sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
(In this case I am choosing to add the new rule in the fourth line) (在这种情况下,我选择在第四行添加新规则)
Remember that after editing the file you should save it like this:请记住,在编辑文件后,您应该像这样保存它:
sudo /etc/init.d/iptables save
CentOS 7 uses firewalld by default now. CentOS 7 现在默认使用 firewalld。 But all the answers focus on iptables.
但是所有的答案都集中在 iptables 上。 So I wanted to add an answer related to firewalld.
所以我想添加一个与 firewalld 相关的答案。
Since firewalld is a "wrapper" for iptables, using antonio-fornie's answer still seems to work but I was unable to "save" that new rule.由于 firewalld 是 iptables 的“包装器”,因此使用 antonio-fornie 的答案似乎仍然有效,但我无法“保存”该新规则。 So I wasn't able to connect to my apache server as soon as a restart of the firewall happened.
因此,一旦防火墙重新启动,我就无法连接到我的 apache 服务器。 Luckily it is actually much more straightforward to make an equivalent change with firewalld commands.
幸运的是,使用 firewalld 命令进行等效更改实际上要简单得多。 First check if firewalld is running:
首先检查 firewalld 是否正在运行:
firewall-cmd --state
If it is running the response will simply be one line that says "running".如果它正在运行,响应将只是一行显示“正在运行”。
To allow http (port 80) connections temporarily on the public zone:要在公共区域上临时允许 http(端口 80)连接:
sudo firewall-cmd --zone=public --add-service=http
The above will not be "saved", next time the firewalld service is restarted it'll go back to default rules.以上不会被“保存”,下次firewalld服务重新启动时,它会回到默认规则。 You should use this temporary rule to test and make sure it solves your connection issue before moving on.
在继续之前,您应该使用此临时规则进行测试并确保它解决了您的连接问题。
To permanently allow http connections on the public zone:要永久允许公共区域上的 http 连接:
sudo firewall-cmd --zone=public --permanent --add-service=http
If you do the "permanent" command without doing the "temporary" command as well, you'll need to restart firewalld to get your new default rules (this might be different for non CentOS systems):如果您执行“永久”命令而不执行“临时”命令,则需要重新启动 firewalld 以获取新的默认规则(对于非 CentOS 系统,这可能会有所不同):
sudo systemctl restart firewalld.service
If this hasn't solved your connection issues it may be because your interface isn't in the "public zone".如果这还没有解决您的连接问题,那可能是因为您的接口不在“公共区域”中。 The following link is a great resource for learning about firewalld.
以下链接是了解 firewalld 的绝佳资源。 It goes over in detail how to check, assign, and configure zones: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
它详细介绍了如何检查、分配和配置区域: https : //www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
默认情况下,SELinux 会阻止 Apache(以及所有 Apache 模块)进行远程连接。
# setsebool -P httpd_can_network_connect=1
Try with below setting in iptables.config table尝试在 iptables.config 表中使用以下设置
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Run the below command to restart the iptable service运行以下命令重启iptable服务
service iptables restart
change the httpd.config file to将 httpd.config 文件更改为
Listen 192.170.2.1:80
re-start the apache.重新启动apache。
Try now.现在试试。
If you are using RHEL/CentOS 7 (the OP was not, but I thought I'd share the solution for my case), then you will need to use firewalld instead of the iptables service mentioned in other answers.如果您使用的是 RHEL/CentOS 7(OP 不是,但我想我会为我的案例分享解决方案),那么您将需要使用 firewalld 而不是其他答案中提到的 iptables 服务。
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
And then check that it is running with:然后检查它是否正在运行:
firewall-cmd --permanent --zone=public --list-all
It should list 80/tcp
under ports
它应该在
ports
80/tcp
在 apache 配置文件(httpd.conf、apache2.conf、listen.conf...)中搜索 LISTEN 指令,如果您看到 localhost 或 127.0.0.1,那么您需要用您的公共 IP 覆盖。
Try disabling iptables: service iptables stop尝试禁用 iptables:service iptables stop
If this works, enable TCP port 80 to your firewall rules: run system-config-selinux from root, and enable TCP port 80 (HTTP) on your firewall.如果可行,请为防火墙规则启用 TCP 端口 80:从 root 运行 system-config-selinux,并在防火墙上启用 TCP 端口 80 (HTTP)。
this would work: -- for REDHAT use : cat "/etc/sysconfig/iptables"这会起作用:--对于REDHAT 使用:cat "/etc/sysconfig/iptables"
iptables -I RH-Firewall-1-INPUT -s 192.168.1.3 -p tcp -m tcp --dport 80 -j ACCEPT
followed by其次是
sudo /etc/init.d/iptables save
this is what worked for us to get the apache accessible from outside:这就是我们从外部访问 apache 的方法:
sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
sudo service iptables restart
Set apache to list to a specific interface and port something like below:将 apache 设置为列出特定接口和端口,如下所示:
Listen 192.170.2.1:80
Also check for Iptables and TCP Wrappers entries that might be interfering on the host with outside hosts accessing that port还要检查 Iptables 和 TCP Wrappers 条目,这些条目可能会干扰主机与访问该端口的外部主机
禁用 SELinux
$ sudo setenforce 0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.