Hi Francis, I've tried your suggestions (inline replies below) but am still stuck.
On Thu, 4 Feb 2021 at 10:06, Francis Daly <fran...@daoine.org> wrote: > On Thu, Feb 04, 2021 at 07:40:35AM +0000, Adam wrote: > > Hi there, > > It sounds like something outside of your nginx is preventing the traffic > from getting to your nginx. > > In that case, no nginx config can help you; but there are other things > you can perhaps look at. > > > nginx is running and listening on port 80: > > tcp 0 0 0.0.0.0:80 0.0.0.0:* > > LISTEN 0 42297 3576/nginx: master > > tcp6 0 0 :::80 :::* > > LISTEN 0 42298 3576/nginx: master > > > > The server responds fine to requests on port 443, serving traffic exactly > > as expected: > > tcp 0 0 0.0.0.0:443 0.0.0.0:* > > LISTEN 0 42299 3576/nginx: master > > > I have been testing by sshing to an external machine and trying telnet > > my.host.name 80 - which times out, compared to telnet my.host.name 443, > > which connects immediately. > > Do your nginx logs indicate that the 443 traffic actually gets to this > nginx, and not to a random server that allows port-443 connections? > Yes - the log files are good for port 443. > Perhaps use "curl" to make a request, and confirm that the response is > from this nginx. > I have tried this on the remote machine and see the html appear in the terminal. > > The port is open on my router to allow port 80 traffic. This machine is > > Do you have any local firewall running on the nginx machine that might > block or otherwise limit inbound traffic? > I do have iptables managed by fail2ban running on the nginx machine. > > hosted on my home network, serving personal traffic (services which I > use, > > but not for general internet use). It does respond to port 80 internally, > > if I use the internal ip address (http://192.168.178.43). > > If that test is "from the nginx machine itself", then a local firewall > probably won't block it. If that test is from another machine on the home > network, then a local firewall that only allows same-subnet connections > would allow this, but not allow your external test. > > "iptables -L -v -n" might show things there; or whatever local firewall > command your system might use. > > This is the output: root@home:/home/pi# iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 52134 4559K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 16 1280 REJECT all -- * * 123.31.41.31 0.0.0.0/0 reject-with icmp-port-unreachable 35 1677 REJECT all -- * * 103.81.13.80 0.0.0.0/0 reject-with icmp-port-unreachable 20 1616 REJECT all -- * * 67.205.181.52 0.0.0.0/0 reject-with icmp-port-unreachable 21 1668 REJECT all -- * * 51.83.128.135 0.0.0.0/0 reject-with icmp-port-unreachable 16 1224 REJECT all -- * * 14.99.117.194 0.0.0.0/0 reject-with icmp-port-unreachable 19 1332 REJECT all -- * * 185.2.140.155 0.0.0.0/0 reject-with icmp-port-unreachable 15 1160 REJECT all -- * * 110.225.122.98 0.0.0.0/0 reject-with icmp-port-unreachable 21 1672 REJECT all -- * * 112.85.42.74 0.0.0.0/0 reject-with icmp-port-unreachable 24 1840 REJECT all -- * * 161.35.161.170 0.0.0.0/0 reject-with icmp-port-unreachable 21 1668 REJECT all -- * * 198.23.228.254 0.0.0.0/0 reject-with icmp-port-unreachable 79 3720 REJECT all -- * * 189.254.227.84 0.0.0.0/0 reject-with icmp-port-unreachable 16 1312 REJECT all -- * * 81.68.228.53 0.0.0.0/0 reject-with icmp-port-unreachable 21 1616 REJECT all -- * * 101.32.116.55 0.0.0.0/0 reject-with icmp-port-unreachable > > I've kind of run out of ideas, so thought I would post here. > > I would probably try to run "tcpdump" on the nginx server, to see what > port-80 traffic that machine sees when the connection is attempted. > > I'd forgotten about tcpdump - thanks for that. This is the output. 11:56:47.592217 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1308629493, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744800432 ecr 1108123496,nop,wscale 7], length 0 11:56:48.597175 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1324331976, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744801437 ecr 1108124499,nop,wscale 7], length 0 11:56:50.611211 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1355801094, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744803451 ecr 1108126515,nop,wscale 7], length 0 11:56:54.937069 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1423392629, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744807777 ecr 1108130771,nop,wscale 7], length 0 11:57:03.126721 IP home.fritz.box.http > mab.sdf.org.40180: Flags [S.], seq 1551356176, ack 3287509164, win 65160, options [mss 1460,sackOK,TS val 3744815967 ecr 1108138963,nop,wscale 7], length 0 > (And maybe look at what is seen for port-443 traffic as well, for > comparison.) > > 11:58:00.144568 IP mab.sdf.org.36420 > home.fritz.box.https: Flags [.], ack 1, win 251, options [nop,nop,TS val 1108196048 ecr 2740660288], length 0 These were run on the box that is running nginx. > Good luck with it, > > f > -- > Francis Daly fran...@daoine.org > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Thanks again, Adam
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
