在 CentOS 上運行 Apache:
- 伺服器才不是回應遠端http請求透過製作curl 或網頁瀏覽器(連線已建立,請求已發送,但一段時間後逾時),
- 伺服器做回應遠端http請求透過製作遠端登入,
- 奇怪的是,它做回應本地curl http請求。
遠端telnet請求:
$ telnet www.MYDOMAIN.com.cn 80
Trying XXX.XX.X.XX...
Connected to www.MYDOMAIN.com.cn.
Escape character is '^]'.
GET / HTTP/1.1
User-Agent: curl/7.39.0
Host: www.MYDOMAIN.com.cn
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 23:21:10 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 17 Jun 2015 19:31:35 GMT
ETag: "601a7-8-518bbbd2925bd"
Accept-Ranges: bytes
Content-Length: 8
Connection: close
Content-Type: text/html; charset=UTF-8
Hello !
Connection closed by foreign host.
遠端捲曲請求:
$ curl -v http://www.MYDOMAIN.com.cn/
* Hostname was NOT found in DNS cache
* Trying XXX.XX.X.XX...
* Connected to www.MYDOMAIN.com.cn (XXX.XX.X.XX) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.39.0
> Host: www.MYDOMAIN.com.cn
> Accept: */*
>
因此,這似乎不是防火牆問題(iptables 配置為讓傳入的 tcp 流量通過連接埠 80,自從遠端 telnet 請求得到應答後它就這樣做了)。
我一整天都在為這個問題苦苦掙扎:歡迎所有建議。
編輯:
這似乎是一個 PMTUD 問題。這是我嘗試修復它後的輸出iptables-save
(它仍然不起作用):
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:2820]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [6344:506105]
:INPUT ACCEPT [601:53242]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:2820]
:POSTROUTING ACCEPT [29:2820]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT