我正在设置我的路由器上的Apache(我已经安装了Tomato,一个基于
Linux的自定义固件包).我已经成功安装了Apache,并且相信我已经正确配置了它,但是无法获得默认的“它的工作原理!”页面加载.
运行netstat,每当我尝试通过浏览器访问服务文件时,我都可以看到“Recv-Q”列中的值增加,但它似乎Apache不会或不能响应请求.告诉Apache error_log也没有产生任何结果.
有没有人看到任何明显的东西,或者有一些建议让事情尝试以使事情有效?我可以提供任何有用的其他信息吗?
示例netstat输出(请参阅第5个条目,地址为“::: www”:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:52698 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1338 0.0.0.0:* LISTEN tcp 4 0 :::www :::* LISTEN tcp 0 0 :::domain :::* LISTEN tcp 0 0 :::ssh :::* LISTEN tcp 0 0 :::telnet :::* LISTEN tcp 0 0 localhost:52698 :::* LISTEN tcp 0 0 :::1338 :::* LISTEN udp 0 0 localhost:38032 0.0.0.0:* udp 0 0 0.0.0.0:5038 0.0.0.0:* udp 0 0 0.0.0.0:domain 0.0.0.0:* udp 0 0 0.0.0.0:bootps 0.0.0.0:* udp 0 0 0.0.0.0:60648 0.0.0.0:* udp 0 0 0.0.0.0:49518 0.0.0.0:* udp 0 0 0.0.0.0:38000 0.0.0.0:* udp 0 0 :::domain :::* raw 0 0 0.0.0.0:255 0.0.0.0:* 255 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 13850 /opt/var/apache2/run/cgisock.1325
Apache error_log内容:
[Wed Feb 13 16:05:16 2013] [notice] Digest: generating secret for digest authentication ... [Wed Feb 13 16:05:16 2013] [notice] Digest: done [Wed Feb 13 16:05:16 2013] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Wed Feb 13 16:05:16 2013] [info] LDAP: SSL support available [Wed Feb 13 16:05:16 2013] [info] mod_unique_id: using ip addr 192.168.253.1 [Wed Feb 13 16:05:17 2013] [notice] Apache/2.2.20 (Unix) DAV/2 configured -- resuming normal operations
更新:看起来防火墙阻止了传入的请求,即使我打开了端口80(和443).
防火墙消息(擦除地址信息,x =本地,y =远程):
Feb 13 16:53:15 UBERnet user.warn kernel: DROP IN=vlan2 OUT= MACSRC=xx:xx:xx:xx:xx:xx MACDST=yy:yy:yy:yy:yy:yy MACPROTO=0800 SRC=yyy.yyy.yyy.yyy DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=57 ID=48272 DF PROTO=TCP SPT=43229 DPT=80 SEQ=3727060622 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056404020000)
iptables -L输出:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
shlimit tcp -- anywhere anywhere tcp dpt:1338 state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:1337
ACCEPT tcp -- anywhere anywhere tcp dpt:1338
logdrop all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:www
Chain FORWARD (policy DROP)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.253.0/255.255.255.0 name: lan
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
monitor all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain logdrop (2 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `DROP '
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `REJECT '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain monitor (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere WEBMON --max_domains 1000 --max_searches 1000
Chain shlimit (2 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: shlimit side: source
logdrop all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
更新:作为旁注,我能够让lighttpd只使用iptables调整,所以看起来它确实是Apache的配置特有的问题.
解决方法
在防火墙的INPUT链中,logdrop行会终止你的连接.它是一个全能链,用于丢弃所有不需要的流量.规则处理永远不会达到Web规则.您必须将ACCEPT规则移到logdrop规则之上.
