【发布时间】:2017-08-16 02:25:36
【问题描述】:
我已经在数字海洋上运行了 2 台服务器,我为 webserver 安装了 nginx,为应用服务器安装了 nodejs。
对于应用服务器: Nodeapp 目录:/var/appdata/myapp/ Nodejs 应用程序运行在 4680 端口; 但是在应用服务器中,我有几个 iptables 选项(防火墙)
我为 appserver 做的 IPTABLES 选项:
*filter
# Default policy is to drop all traffic
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
# Allow incoming SSH, HTTP and HTTPS traffic
-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Allow outgoing SSH, HTTP and HTTPS traffic
# This is useful because we won't be able to download and install
# NPM packages otherwise and use git over SSH
-A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
# Allow dns lookup
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Set rate limits for DOS attack prevention (optional)
# The rates here greatly depend on your application
-A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 250/minute --limit-burst 1000 -j ACCEPT
# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
COMMIT
Webserver 的默认配置是这样的-
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
proxy_pass http://10.135.9.223:4680 ;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
有了所有这些选项,我几乎写下了我猜想的所有内容,但如果有任何遗漏,请告诉我。 所以这里的主要问题是 当我输入http://web-server-ip-address 的网址时,它会响应 504 网关超时
编辑: 当我禁用防火墙时没有问题。
【问题讨论】:
-
防火墙说
10.135.47.36,nginx配置说10.135.9.223?如果 Node.js 服务器在本地运行(到 nginx),只需使用127.0.0.1。 -
这是因为我只允许 1223 端口用于 webservers local-ip
-
哦,我明白了,它们运行在两个独立的(虚拟)服务器上。您确定可以从 Web 服务器访问 10.135.9.223:4680 吗?另外,端口 1223 来自哪里?在听什么?
-
我要重新输入 iptables 配置,你现在可以检查那些编辑
-
我删除了一些我在尝试找到可能让您感到困惑的解决方案时输入的内容。我还运行了 2 个不同的服务器 @robertklep
标签: node.js nginx reverse-proxy iptables