Cloudflare 发起回源连接断开，连不上 443 端口的原因-尧图建网站

Cloudflare SSL配置中网站521的原因之一firewalld 版本过低不支持priority富规则属性带优先级的方案直接废弃改用无兼容性问题的【反向源匹配方案】。1、直接执行全新无 priority 脚本彻底规避排序 BUGcat /root/update_cf_fwlx.sh EOF #!/bin/bash systemctl start firewalld ZONEpublic # 清空所有80/443相关旧富规则 firewall-cmd --zone$ZONE --list-rich-rules | grep -E port(80|443) | while read rule; do firewall-cmd --permanent --zone$ZONE --remove-rich-rule $rule done # Cloudflare IPv4 回源网段 IPS_V4( 103.21.224.0/20 103.22.200.0/22 103.31.4.0/22 104.16.0.0/13 104.24.0.0/14 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 185.199.108.0/22 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 ) # 逐条放行CF IPv4 80/443 for ip in ${IPS_V4[]}; do firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv4 source address$ip port port80 protocoltcp accept firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv4 source address$ip port port443 protocoltcp accept done # Cloudflare IPv6 回源网段 IPS_V6( 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32 ) # 逐条放行CF IPv6 80/443 for ip in ${IPS_V6[]}; do firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv6 source address$ip port port80 protocoltcp accept firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv6 source address$ip port port443 protocoltcp accept done # 拼接全部IPv4网段用于反向拦截 V4_JOIN103.21.224.0/20,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,185.199.108.0/22,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17 V6_JOIN2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # 核心仅非CF来源拒绝80/443无全局端口reject规避firewalld排序bug firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv4 invert-sourceyes source address$V4_JOIN port port80 protocoltcp reject firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv4 invert-sourceyes source address$V4_JOIN port port443 protocoltcp reject firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv6 invert-sourceyes source address$V6_JOIN port port80 protocoltcp reject firewall-cmd --permanent --zone$ZONE --add-rich-rulerule familyipv6 invert-sourceyes source address$V6_JOIN port port443 protocoltcp reject firewall-cmd --reload echo [$(date)] 反向白名单规则部署完成仅CF可访问80/443 EOF chmod x /root/update_cf_fwlx.sh2、执行脚本生成全新规则/root/update_cf_fwlx.sh执行全程不会再报priority错误。

相关新闻

Ghostty + Fish + Starship + fzf + zoxide + Raycast

终极指南：如何用DroneSecurity深度解析DJI无人机通信协议？

手语语料征集与管理系统

最新新闻

云原生成长平台架构解析：微服务、能力引擎与数据驱动的人才发展

ngx_http_update_location_config

3分钟快速解决iPhone USB网络共享驱动问题：Windows苹果驱动一键安装终极指南

3分钟快速上手gInk：免费屏幕标注工具让你的演示效率提升3倍

高危预警｜OpenSSH ssh-keysign 爆越权任意文件读取漏洞，OC 用户请速查速修

5分钟掌握KeymouseGo：跨平台开源鼠标键盘自动化终极指南

日新闻

计算机毕业设计之基于Java的流浪动物收养系统设计与开发

Qwen2.5-Turbo百万上下文实战指南：百炼平台长文本处理全解析

【Netty源码解读和权威指南】第54篇：Netty在Elasticsearch中的应用——分布式搜索引擎的网络通信

周新闻

Google AI Studio 300美元额度的真相与实战指南

【人工智能】一文搞定到底什么是智能体

嵌入式GUI控件实战：ROTARY、SCROLLBAR、SLIDER原理与应用

月新闻