我已经打开了端口,但仍然没有工作 .
从我本地机器上的gcloud:
C:\Program Files (x86)\Google\Cloud SDK>gcloud compute firewall-rules list
To show all fields of the firewall, please show in JSON format: --format=json
To show all fields in table format, please see the examples in --help.
NAME NETWORK DIRECTION PRIORITY ALLOW DENY
default-allow-https default INGRESS 1000 tcp:443
default-allow-icmp default INGRESS 65534 icmp
default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp
default-allow-rdp default INGRESS 65534 tcp:3389
default-allow-ssh default INGRESS 65534 tcp:22
django default EGRESS 1000 tcp:8000,tcp:80,tcp:8080,tcp:443
django-in default INGRESS 1000 tcp:8000,tcp:80,tcp:8080,tcp:443
从谷歌 Cloud 上的实例:
admin-u5214628@instance-1:~$ wget localhost:8080
--2017-11-22 01:23:56-- http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 302 FOUND
Location: http://localhost:8080/login/?next=/ [following]
--2017-11-22 01:23:56-- http://localhost:8080/login/?next=/
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 6.26K --.-KB/s in 0s
2017-11-22 01:23:56 (161 MB/s) - ‘index.html’ saved [6411]
但是通过外部IP,没有显示任何内容:
http://35.197.1.158:8080/
我通过以下命令检查了端口:
root@instance-1:/etc# netstat -ntlp | grep LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1539/redis-server 1
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 2138/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1735/sshd
tcp6 0 0 :::22 :::* LISTEN 1735/sshd
我不确定这对Ubuntu防火墙设置是否足够?看起来对我好
在实例中,我检查了我能想到的一切 .
和UFW(简单的防火墙):
root@instance-1:~# ufw status
Status: inactive
根据我的理解,这意味着它已关闭,因此不会阻止任何事情 .
按照建议,我尝试配置 iptables
:
iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
然后我保存它:
root@instance-1:~# iptables-save -c
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*mangle
:PREROUTING ACCEPT [175:18493]
:INPUT ACCEPT [175:18493]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [154:15965]
:POSTROUTING ACCEPT [154:15965]
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*nat
:PREROUTING ACCEPT [6:300]
:INPUT ACCEPT [6:300]
:OUTPUT ACCEPT [6:360]
:POSTROUTING ACCEPT [6:360]
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*filter
:INPUT ACCEPT [169:18193]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:17013]
[6:300] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
它现在看起来像这样:
root@instance-1:~# iptables -v -n -x -L
Chain INPUT (policy ACCEPT 80 packets, 5855 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 52 packets, 6047 bytes)
pkts bytes target prot opt in out source destination
要确保规则得到应用和实时:
iptables-save > /etc/iptables.rules
iptables-apply /etc/iptables.rules
我认为我不需要重新启动/重置实例 .
我想我需要forward traffic to local ip:
# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8000
# iptables -t nat -A POSTROUTING -j MASQUERADE
# python manage.py runserver
Performing system checks...
System check identified no issues (0 silenced).
November 24, 2017 - 17:54:00
Django version 1.8.18, using settings 'codebench.settings'
Starting development server at http://127.0.0.1:8000/
这种方式不起作用......
尝试:
python manage.py runserver 0.0.0.0:8080 &
这绝对适用于我的本地机器,只是不在谷歌实例上,我很困惑 .
2 回答
根据我的经验,当我创建计算引擎的实例时,我应该明确标记允许HTTP(S)访问 . 这可能是一件值得关注的事情 .
另一个 - 您在计算引擎实例中部署/使用的操作系统可能有自己的防火墙规则 . 他们需要相应修改 .
基于新提供的有关UFW和Ubuntu的信息 . 我对Ubuntu不是很有信心,但我知道UFW是iptables的包装器 . 我可能错了,但我想如果启用它可能会更好 . 然后,您可以获得有关防火墙配置的更多详细信息 .
我认为问题是服务器只听取127.0.0.1:8080而不是0.0.0.0:8080,应该如此 . 这就是你得到回复http://localhost:8080/而不是http://35.197.1.158:8080的原因 . 有关详细信息,请从stackoverflow What is the difference between 0.0.0.0, 127.0.0.1 and localhost?查看此答案
要更改Apache的配置以侦听0.0.0.0:8080或特定IP和端口,请按照此文档https://httpd.apache.org/docs/2.4/bind.html