phonon112358's questions

我正在使用 nftables 0.9.8 的 Debian 11 系统上运行网络服务器（nginx 1.21.6）。我的 nftables 配置是：

table inet filter {
chain input {
  type filter hook input priority filter; policy drop;
            ip saddr @spamhaus4 counter packets 0 bytes 0 drop
            ip6 saddr @spamhaus6 counter packets 0 bytes 0 drop
            meta l4proto tcp meta nfproto ipv4 ip saddr @abused counter packets 0 bytes 0 drop
            ip daddr 46.38.148.0-46.38.151.255 drop
            iif "lo" log group 2 accept
            iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
            iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
            ct state established,related log group 2 accept
            ct state invalid counter packets 47 bytes 2572 drop
            tcp dport { 25, 80, 143, 443, 587, 2772, 9980, 45907 } log group 2 accept
            ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } log group 2 accept
            ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } log group 2 accept
            ip6 nexthdr ipv6-icmp log group 2 accept
            counter packets 2686 bytes 421604 drop
    }

    chain IPSinput {
            type filter hook input priority filter + 10; policy drop;
            counter packets 88448 bytes 15799025 queue num 0-3 bypass,fanout
    }

    chain forward {
            type filter hook forward priority filter; policy drop;
    }

    chain output {
            type filter hook output priority filter; policy accept;
    }

    chain IPSoutput {
            type filter hook output priority filter + 10; policy drop;
            counter packets 76196 bytes 201278628 queue num 0-3 bypass,fanout
    }
   }

nftables 防火墙工作正常。

但是，我的 nginx 服务器无法通过 IPv6 访问。我使用了不同的 IPv6 检查工具（例如https://ipv6-test.com/validate.php）并且Qualys ssltest无法通过 IPv6 访问服务器，但是 IPv4 工作正常。我在每个 nginx 服务器中都包含了listen [::]:80;(resp.指令。并给出了listen [::]:443;netstat -anlp |grep nginx

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      48846/nginx: master
tcp        0      0 192.168.42.98:443       93.104.163.178:39001    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:39368    VERBUNDEN   48847/nginx: worker
tcp        0      0 192.168.42.98:443       93.104.163.178:43086    VERBUNDEN   48847/nginx: worker
tcp6       0      0 :::80                   :::*                    LISTEN      48846/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160451   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160453   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160450   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160448   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160452   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160446   48846/nginx: master
unix  3      [ ]         STREAM     VERBUNDEN     160449   48846/nginx: master

在我的路由器上，我也激活了 IPv6。

有谁知道问题出在哪里？

我在 Debian 11 服务器上使用 openssl 1.1.1n 运行 nginx (1.21.6)。尽管我遵循了许多教程并查看了该论坛中有关此主题的多个问题，但我无法使 TLS 1.3 正常工作。的输出nginx -V：

nginx version: nginx/1.21.6
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1k  25 Mar 2021 (running with OpenSSL 1.1.1n  15 Mar 2022)
TLS SNI support enable

我将 nginx 升级到主线版本，因为我也无法让 TLS 1.3 在以前的版本中工作。很奇怪……Openssl 绝对支持 TLS 1.3。我通过openssl s_client -tls1_3 -connect www.cloudflare.com:443它进行了测试，效果很好。这是我ssl.conf的 nginx 文件，我包含在每个 nginx 服务器中（证书单独包含在服务器部分中）：

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;  # about 40000 sessions
ssl_session_tickets off;

ssl_stapling on;
#ssl_trusted_certificate /pfad/bundle.ca.pem;
ssl_stapling_verify on;

ssl_dhparam /etc/nginx/dhparams.pem;

ssl_ecdh_curve X448:secp521r1:secp384r1;


ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=31536000;preload;includeSubDomains" always;

然而，我网站的Qualys ssltest并没有显示我在我的服务器上使用 TLS 1.3。此外，Chrome 浏览器显示它通过 TLS 1.2 连接。即使我TLSv1.2从 my 中删除指令ssl.conf并仅离开TLSv1.3，它仍然通过 TLS 1.2 连接。

nginx 的任何其他配置文件中都没有其他ssl_protocols指令。我通过nginx -T.

我真的没有想法了.....有人可以帮助我吗？

编辑： 不知何故，nginx 似乎没有正确地对ssl_protocolsandssl_ecdh_curve指令做出反应。例如，当我ssl_ciphers从我的配置中删除 （正如@drookie 在他的评论中建议的那样）时，我的服务器似乎支持 TLS 1.0 和 TLS 1.1，尽管我设置了ssl_protocols TLSv1.3 TLSv1.2;. 同样，根据Qualys ssltest，secp256r1虽然我的ssl_ecdh_curve(nor prime256v1) 配置中没有这条曲线，但它是受支持的。在我看来，好像有什么东西覆盖了我在ssl.conf文件中的设置。我正在使用 acme.sh 来获取我的证书。 grep -R 'ssl_protocol' /etc/*只ssl.conf用ssl_protocols TLSv1.3 TLSv1.2;. 我不知道什么会导致干扰/覆盖......