simon/wecom_it_smart_desk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
wecom_it_smart_desk/docs/WAF转发配置异常排查协助.md
T

115 lines
3.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# WAF 转发配置申请
## 问题描述
`itsupport.servyou.com.cn` 域名无法访问,浏览器超时。需 WAF 配置转发规则。
---
## 证据链
### 1. 服务器本地 — 服务正常 ✅
```
# HTTP 已强制跳转 HTTPSnginx 配置 301 重定向)
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl http://localhost/itdesk/health
<html><head><title>301 Moved Permanently</title></head>...nginx/1.27.5</html>
# HTTPS 正常响应
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -k https://127.0.0.1/itdesk/health -H "Host: itsupport.servyou.com.cn"
healthy
```
### 2. SSL 证书 — 有效 ✅
```
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# echo | openssl s_client -connect 127.0.0.1:443 -servername itsupport.servyou.com.cn
CONNECTED(00000003)
depth=2 C=US, O=DigiCert Inc, CN=DigiCert Global Root G2
depth=1 C=US, O=DigiCert, Inc., CN=GeoTrust G2 TLS CN RSA4096 SHA256 2022 CA1
depth=0 C=CN, ST=浙江省, L=杭州市, O=税友软件集团股份有限公司, CN=*.servyou.com.cn
Verification: OK
Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384
Verify return code: 0 (ok)
```
证书信息:
- 主体:`CN=*.servyou.com.cn`(通配符证书)
- 颁发者:`GeoTrust G2 TLS CN RSA4096 SHA256 2022 CA1`
- 有效期:2025-12-23 ~ 2027-01-12
### 3. DNS 解析 — 指向 WAF ✅
```
# 服务器 DNS 解析到 WAF 公网 IP
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# ping -c 1 itsupport.servyou.com.cn
PING itsupport.servyou.com.cn (115.236.188.3): 56(84) bytes of data.
--- itsupport.servyou.com.cn ping statistics ---
1 packets transmitted, 0 received, 100% packet loss
```
- 解析结果:`115.236.188.3`WAF 公网 IP
- ping 100% 丢失(WAF 禁 ICMP,正常)
### 4. WAF 转发 — 不通 ❌
```
# 从服务器通过域名访问 HTTP(超时)
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -v http://itsupport.servyou.com.cn/itdesk/health
* Trying 115.236.188.3:80...
^C(超时无响应)
# 从服务器通过域名访问 HTTPS(超时)
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -v https://itsupport.servyou.com.cn/itdesk/health
* Trying 115.236.188.3:443...
^C(超时无响应)
```
### 5. 服务器外网连通性 — 正常 ✅
```
# 企微 API 可达
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -s https://qyapi.weixin.qq.com/cgi-bin/gettoken
{"errcode":41004,"errmsg":"corpsecret missing", "from ip": "218.75.34.87"}
# PyPI 镜像可达
[root@hz-oa-ai-g-dataquery-90-5-110 ~]# curl -s https://pypi.tuna.tsinghua.edu.cn/
<html><head><title>302 Found</title></head>...nginx/1.22.1</html>
```
---
## 结论
| 环节 | 状态 |
|------|------|
| 服务器(10.90.5.110 | ✅ HTTP/HTTPS 服务正常 |
| SSL 证书(*.servyou.com.cn | ✅ 有效,TLSv1.3 |
| DNS 解析 | ✅ 指向 WAF115.236.188.3 |
| 服务器外网连通性 | ✅ 企微 API / PyPI 均可达 |
| **WAF 转发到后端** | **❌ 未配置 — 流量未到达 10.90.5.110** |
---
## 需要配置
请 WAF/网络团队配置转发规则:
```
域名:itsupport.servyou.com.cn
源端口:80HTTP/ 443HTTPS
转发目标:10.90.5.110:80
```
---
## 服务器信息
| 项目 | 值 |
|------|-----|
| 服务器 IP | 10.90.5.110 |
| 服务端口 | 80HTTP→HTTPS 重定向)+ 443HTTPS |
| 域名 | itsupport.servyou.com.cn |
| SSL 证书 | *.servyou.com.cnDigiCert,有效期至 2027-01-12 |
| 系统 | LinuxDocker 部署,nginx 反向代理) |
Reference in New Issue View Git Blame Copy Permalink