Google云计算引擎通过apache2拒绝外部访问 [英] Google cloud Compute Engine refuse outer access through apache2

问题描述

因此，我制作了一个计算机引擎实例，并在Ubuntu 16上安装了Apache2。

今天，我尝试使用Google Cloud Platform制作博客。

然后，点击外部IP地址，但它显示连接被拒绝..。

为什么会发生这种情况？ / p>

我也允许HTTPS％HTTP Traffic。

我无法找到像AWS Security Group这样的菜单。 ..

所以，这个问题让我很不高兴......

（我不是英国本地人，所以文件是这么刻苦阅读..请给我一个小费这个问题）

解决方案

TL; DR - 您需要使用防火墙规则打开端口，以允许入站流量进入虚拟机。

Google Compute Engine（GCE）默认阻止所有流量到您的虚拟机，以确保您的基础架构安全。您可以根据需要打开端口并自行管理安全性。默认创建的网络在允许来自网络中其他虚拟机的流量方面几乎没有例外，但仍不允许来自网络外的流量。

< h1> 防火墙

每个VPC网络都有自己的防火墙控制对
实例的访问。

所有到实例的流量（即使来自其他实例）通过
防火墙，除非创建了允许防火墙规则。例外
是每个
项目自动创建的默认VPC网络。此网络自动创建了默认
防火墙规则。对于除自动创建的默认 VPC
网络之外的所有VPC网络，您必须创建任何防火墙规则你需要。要在手动创建的VPC网络上允许
传入网络连接，您
需要设置防火墙规则以允许这些连接。每个
防火墙规则表示一条规则，该规则确定允许哪些
连接进入或离开实例。有可能
有许多规则，并根据需要按照这些规则
一般或特定。例如，您可以创建一个防火墙规则，允许
通过端口80到所有实例的所有流量，或者您可以创建规则
，该规则只允许来自一个特定IP或IP范围的流量到一个
特定实例。

防火墙规则是连接跟踪，因此仅规定
的初始连接。一旦与
实例建立连接，就可以通过该
连接在两个方向上允许流量。

既然你在Ubuntu上说了 apache2 包，我在这里分享的指导将指导你如何打开 80 在您的虚拟机上，并通过虚拟机的公共IP访问。您可以根据需要为任何其他端口执行相同操作。

使用gcloud 允许 tcp：80 的入口流量进入您的VM

 ＃创建一个新的防火墙规则，允许INGRESS tcp：80的虚拟机包含标签'allow-tcp-80'
 gcloud compute防火墙规则创建规则-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp：80 
 
＃添加'allow-tcp-80'标记到名为VM_NAME的VM 
 gcloud计算实例add-tags VM_NAME --tags allow-tcp-80 
 
＃如果要列出所有GCE防火墙规则
 gcloud compute防火墙规则列表
  

使用云端控制台允许 tcp：80 的入站流量进入您的虚拟机

1. M enu - >网络 - >防火墙规则


2. 创建防火墙规则
为防火墙规则选择以下设置：


1. 规则的名称 - rule-allow-tcp-80 或其他您喜欢的防火墙规则名称。 ingress


2. 对匹配的操作是允许


3. 目标是指定的目标标记目标标记是 allow-tcp-80


4. 源IP范围是 0.0.0.0/0 （或者如果您有一系列你知道的IP范围将是唯一访问这个的范围，用它们代替更强的限制）


5. 协议和端口是 tcp：80


6. 选择创建按钮来创建此防火墙规则。 / li>
   




3. 创建上述防火墙规则后，您需要添加标记 allow-tcp-80 到需要应用此规则的所有实例。在您的情况下：
   

   
   
   1. 打开GCE VM实例页面
   
   
   2. 选择Jenkins运行的实例
   
   
   3. 在 VM实例详细信息页面中，选择<$ c
      
   4. 在网络标签框中，输入<$ c>编辑链接。 c $ c> allow-tcp-80 将标记应用于此实例。
   
   
   5. 选择 Save 保存更改。
      
   
   

   现在给它几秒到几分钟要使更改生效，您将能够访问jenkins网址。

   
   
   

   您也可以阅读 防火墙规则 ，以便更好地了解它们的工作方式以及如何配置它们。

   
   
   

   警告：通过使用源代码范围 0.0.0.0/0 重新开放端口虚拟机到整个互联网。这可以让全球任何地方的客户端连接到在此端口上运行的应用程序。充分意识到这样做的安全含义。

   
   

   Today, I tried to make a blog with Google Cloud Platform.

   So, I made a Computer Engine Instance and install Apache2 on Ubuntu 16.

   And then, clicked the Outer IP address, but it show me "connection denied.."

   Why this happen?

   I allowed HTTPS % HTTP Traffic also.

   And I can't find a menu like AWS's Security Group...

   So, this problem irritate me...

   (I'm not a English native, so documentation is so hard read.. please, give me a tip for this matter)

   解决方案

   TL;DR - You need to open up ports using firewall rules to allow ingress traffic into your VMs.

   Google Compute Engine (GCE) blocks all traffic to your VMs by default for the purpose of keeping your infrastructure secure. You can open up ports as needed and manage the security yourself. The default created network has few exceptions in terms of allowing traffic from other VMs in the network, but still does not allow traffic from outside the network.

   Firewalls

   Each VPC network has its own firewall controlling access to the instances.

   All traffic to instances, even from other instances, is blocked by the firewall unless firewall rules are created to allow it. The exception is the default VPC network that is created automatically with each project. This network has certain automatically created default firewall rules.

   For all VPC networks except the automatically created default VPC network, you must create any firewall rules you need. To allow incoming network connections on a manually created VPC network, you need to set up firewall rules to permit these connections. Each firewall rule represents a single rule that determines what connections are permitted to enter or leave instances. It is possible to have many rules and to be as general or specific with these rules as you need. For example, you can create a firewall rule that allows all traffic through port 80 to all instances, or you can create a rule that only allows traffic from one specific IP or IP range to one specific instance.

   Firewall rules are connection tracking, and therefore only regulate the initial connection. Once a connection has been established with an instance, traffic is permitted in both directions over that connection.

   Since you say apache2 package on Ubuntu, the instructions I share here will guide you on how to open up port 80 on your VM and make it accessible through the VM's public IP. You can do the same for any additional ports as needed.

   Using gcloud to allow ingress traffic for tcp:80 into your VM

   # Create a new firewall rule that allows INGRESS tcp:80 with VMs containing tag 'allow-tcp-80'
   gcloud compute firewall-rules create rule-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp:80
   
   # Add the 'allow-tcp-80' tag to a VM named VM_NAME
   gcloud compute instances add-tags VM_NAME --tags allow-tcp-80
   
   # If you want to list all the GCE firewall rules
   gcloud compute firewall-rules list
   

   Using Cloud Console to allow ingress traffic for tcp:80 into your VM

   1. Menu -> Networking -> Firewall Rules
   2. Create Firewall Rule

   3. Choose the following settings for the firewall rule:

      1. Name for the rule - rule-allow-tcp-80 or any other name you prefer for this firewall rule.
      2. Direction is ingress
      3. Action on match is Allow
      4. Targets is Specified target tags
      5. Target tags is allow-tcp-80
      6. Source IP ranges is 0.0.0.0/0 (or if you have a set of IP ranges you know will be the only ones accessing this, use them instead for stronger restriction)
      7. Protocols and ports is tcp:80
      8. Select Create button to create this firewall rule.

   4. Once you've created the above firewall rule you will need to add the tag allow-tcp-80 to all the instances where this rule needs to be applied. In your case:

      1. Open up the GCE VM Instances page
      2. Select the instance where Jenkins is running
      3. In the VM instance details page, select the Edit link on the very top.
      4. In the Network Tags box, enter allow-tcp-80 to apply the tag to this instance.
      5. Select Save to save the changes.

   Now give it a few seconds to a few minutes for the changes to take effect and you will be able to access the jenkins web URL.

   You can also go through the documentation for Firewall rules to get a better understanding of how they work and how to configure them.

   WARNING: By using a source range of 0.0.0.0/0, you're opening up the port on the VM to the entire internet. This lets clients anywhere in the world to connect to the application running on this port. Be fully aware of the security implications of doing this.

   这篇关于Google云计算引擎通过apache2拒绝外部访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！