<div dir="ltr"><div>Hi Francis,</div><div><br></div><div>I've tried your suggestions (inline replies below) but am still stuck. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 4 Feb 2021 at 10:06, Francis Daly <<a href="mailto:francis@daoine.org">francis@daoine.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Feb 04, 2021 at 07:40:35AM +0000, Adam wrote:<br>
<br>
Hi there,<br>
<br>
It sounds like something outside of your nginx is preventing the traffic<br>
from getting to your nginx.<br>
<br>
In that case, no nginx config can help you; but there are other things<br>
you can perhaps look at.<br>
<br>
> nginx is running and listening on port 80:<br>
> tcp 0 0 <a href="http://0.0.0.0:80" rel="noreferrer" target="_blank">0.0.0.0:80</a> 0.0.0.0:*<br>
> LISTEN 0 42297 3576/nginx: master<br>
> tcp6 0 0 :::80 :::*<br>
> LISTEN 0 42298 3576/nginx: master<br>
> <br>
> The server responds fine to requests on port 443, serving traffic exactly<br>
> as expected:<br>
> tcp 0 0 <a href="http://0.0.0.0:443" rel="noreferrer" target="_blank">0.0.0.0:443</a> 0.0.0.0:*<br>
> LISTEN 0 42299 3576/nginx: master<br>
<br>
> I have been testing by sshing to an external machine and trying telnet<br>
> <a href="http://my.host.name" rel="noreferrer" target="_blank">my.host.name</a> 80 - which times out, compared to telnet <a href="http://my.host.name" rel="noreferrer" target="_blank">my.host.name</a> 443,<br>
> which connects immediately.<br>
<br>
Do your nginx logs indicate that the 443 traffic actually gets to this<br>
nginx, and not to a random server that allows port-443 connections?<br></blockquote><div><br></div><div>Yes - the log files are good for port 443. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Perhaps use "curl" to make a request, and confirm that the response is<br>
from this nginx.<br></blockquote><div><br></div><div>I have tried this on the remote machine and see the html appear in the terminal. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> The port is open on my router to allow port 80 traffic. This machine is<br>
<br>
Do you have any local firewall running on the nginx machine that might<br>
block or otherwise limit inbound traffic?<br></blockquote><div><br></div><div>I do have iptables managed by fail2ban running on the nginx machine. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> hosted on my home network, serving personal traffic (services which I use,<br>
> but not for general internet use). It does respond to port 80 internally,<br>
> if I use the internal ip address (<a href="http://192.168.178.43" rel="noreferrer" target="_blank">http://192.168.178.43</a>).<br>
<br>
If that test is "from the nginx machine itself", then a local firewall<br>
probably won't block it. If that test is from another machine on the home<br>
network, then a local firewall that only allows same-subnet connections<br>
would allow this, but not allow your external test.<br>
<br>
"iptables -L -v -n" might show things there; or whatever local firewall<br>
command your system might use.<br>
<br></blockquote><div><br></div><div>This is the output: </div><div>root@home:/home/pi# iptables -L -v -n<br>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br>52134 4559K f2b-sshd tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> multiport dports 22<br><br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br><br>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br><br>Chain f2b-sshd (1 references)<br> pkts bytes target prot opt in out source destination<br> 16 1280 REJECT all -- * * 123.31.41.31 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 35 1677 REJECT all -- * * 103.81.13.80 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 20 1616 REJECT all -- * * 67.205.181.52 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 21 1668 REJECT all -- * * 51.83.128.135 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 16 1224 REJECT all -- * * 14.99.117.194 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 19 1332 REJECT all -- * * 185.2.140.155 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 15 1160 REJECT all -- * * 110.225.122.98 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 21 1672 REJECT all -- * * 112.85.42.74 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 24 1840 REJECT all -- * * 161.35.161.170 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 21 1668 REJECT all -- * * 198.23.228.254 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 79 3720 REJECT all -- * * 189.254.227.84 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 16 1312 REJECT all -- * * 81.68.228.53 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br> 21 1616 REJECT all -- * * 101.32.116.55 <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> I've kind of run out of ideas, so thought I would post here.<br>
<br>
I would probably try to run "tcpdump" on the nginx server, to see what<br>
port-80 traffic that machine sees when the connection is attempted.<br>
<br></blockquote><div><br></div><div>I'd forgotten about tcpdump - thanks for that. This is the output. </div><div> </div><div>11:56:47.592217 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1308629493, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744800432 ecr 1108123496,nop,wscale 7], length 0<br>11:56:48.597175 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1324331976, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744801437 ecr 1108124499,nop,wscale 7], length 0<br>11:56:50.611211 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1355801094, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744803451 ecr 1108126515,nop,wscale 7], length 0<br>11:56:54.937069 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1423392629, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744807777 ecr 1108130771,nop,wscale 7], length 0<br>11:57:03.126721 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1551356176, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744815967 ecr 1108138963,nop,wscale 7], length 0<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
(And maybe look at what is seen for port-443 traffic as well, for<br>
comparison.)<br>
<br></blockquote><div>11:58:00.144568 IP mab.sdf.org.36420 > home.fritz.box.https: Flags [.], ack 1, win 251, options [nop,nop,TS val 1108196048 ecr 2740660288], length 0<br></div><div><br></div><div>These were run on the box that is running nginx. </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Good luck with it,<br>
<br>
f<br>
-- <br>
Francis Daly <a href="mailto:francis@daoine.org" target="_blank">francis@daoine.org</a><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a></blockquote><div><br></div><div>Thanks again,</div><div><br></div><div>Adam </div></div></div>