我已经使用 Caddy 多年了,但我在新网络上设置域时遇到了问题。
我有一个域指向 Caddy 并且 letsencrypt 工作,我可以访问我的 docker 容器,我可以访问它们里面的服务,并且 HTTP -> HTTPS 工作(几乎)
我的问题是我需要从本地机器发送一个 HTTPS 请求到有问题的域,并让 Caddy reverse_proxy 到正确的服务。当我从远程机器执行此请求时,请求被重定向到 HTTPS,一切正常。但是当我从托管服务器的本地机器执行请求时,caddy 记录了从 :80 到 :443 的 308 重定向,但是 :443 超时的请求和 Caddy 没有记录请求。
Caddy 在 Ubuntu 22.04 机器上的 docker 容器中运行。我已经启用了 ufw 规则,我已经完全禁用了 ufw,我已经尝试过 iptables 规则,我已经尝试过 sysctl 转发,我已经尝试过 dnsmasq 来获取对 caddy 的请求(不幸的是我正在运行的服务与之冲突).我检查了正在使用的路由器,发夹/NAT 反射似乎正在工作,因为 :80 已成功处理。
我已经准备好相信它的防火墙以某种方式中断了请求,但我无法弄清楚如何。我几乎准备好打开 wireshark,因为我完全被难住了。
远程机器(与主机不同的 ISP):
球童日志
INF undefined | ts=1680984331.326366 logger=http.log.access.log0 msg=handled request request=[object Object] user_id= duration=0.000094674 size=0 status=308 resp_headers=[object Object]
DBG undefined | ts=1680984331.5846565 logger=events msg=event name=tls_get_certificate id=e260df2f-c827-4620-9d92-3541c6c006ad origin=tls data=[object Object]
DBG undefined | ts=1680984331.5849168 logger=tls.handshake msg=choosing certificate identifier={DOMAIN_NAME} num_choices=1
DBG undefined | ts=1680984331.584952 logger=tls.handshake msg=default certificate selection results identifier={DOMAIN_NAME} subjects={DOMAIN_NAME} managed=true issuer_key=acme-v02.api.letsencrypt.org-directory hash=26eeed.....8aad7f4a
DBG undefined | ts=1680984331.5849729 logger=tls.handshake msg=matched certificate in cache remote_ip=*{REMOTE_WAN_IP}* remote_port=56236 subjects={DOMAIN_NAME} managed=true expiration=1688700111 hash=26eeed8d.....ad7f4a
DBG undefined | ts=1680984331.648613 logger=http.handlers.reverse_proxy msg=selected upstream dial={DOCKER_CONTAINER}:9000 total_upstreams=1
DBG undefined | ts=1680984331.6510875 logger=http.handlers.reverse_proxy msg=upstream roundtrip upstream={DOCKER_CONTAINER}:9000 duration=0.002419674 request=[object Object] headers=[object Object] status=200
INF undefined | ts=1680984331.6516836 logger=http.log.access.log0 msg=handled request request=[object Object] user_id= duration=0.003096468 size=19090 status=200 resp_headers=[object Object]
卷曲
* Trying {HOST_WAN_IP}:80...
* TCP_NODELAY set
* Connected to {DOMAIN_NAME} ({HOST_WAN_IP}) port 80 (#0)
> GET / HTTP/1.1
> Host: {DOMAIN_NAME}
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://{DOMAIN_NAME}/
< Server: Caddy
< Date: Sat, 08 Apr 2023 20:05:31 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443Issue another request to this URL: 'https://{DOMAIN_NAME}/'
* Trying {HOST_WAN_IP}:443...
* TCP_NODELAY set
* Connected to {DOMAIN_NAME} ({HOST_WAN_IP}) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN={DOMAIN_NAME}
* start date: Apr 8 03:21:51 2023 GMT
* expire date: Jul 7 03:21:50 2023 GMT
* subjectAltName: host "{DOMAIN_NAME}" matched cert's "{DOMAIN_NAME}"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55a14b2588c0)
> GET / HTTP/2
> Host: {DOMAIN_NAME}
> user-agent: curl/7.68.0
> accept: */*
>
主机:
球童日志
INF undefined | ts=1680983971.422668 logger=http.log.access.log0 msg=handled request request=[object Object] user_id= duration=0.00003335 size=0 status=308 resp_headers=[object Object]
卷曲
* Trying {HOST_WAN_IP}:80...
* Connected to {DOMAIN_NAME} ({HOST_WAN_IP}) port 80 (#0)
> GET / HTTP/1.1
> Host: {DOMAIN_NAME}
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://{DOMAIN_NAME}/
< Server: Caddy
< Date: Sat, 08 Apr 2023 19:59:31 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://{DOMAIN_NAME}/'
* Trying {HOST_WAN_IP}:443...
* connect to {HOST_WAN_IP} port 443 failed: Connection timed out
* Failed to connect to {DOMAIN_NAME} port 443 after 130480 ms: Connection timed out
* Closing connection 1
curl: (28) Failed to connect to {DOMAIN_NAME} port 443 after 130480 ms: Connection timed out
在这个问题上我真的把头撞在墙上了。
提前致谢,
施莫里森