Cloudflare SSL配置中 网站521的原因之一：

firewalld 版本过低，不支持priority富规则属性，带优先级的方案直接废弃，改用无兼容性问题的【反向源匹配方案】。

1、直接执行全新无 priority 脚本（彻底规避排序 BUG）

cat > /root/update_cf_fwlx.sh << 'EOF' #!/bin/bash systemctl start firewalld ZONE=public # 清空所有80/443相关旧富规则 firewall-cmd --zone=$ZONE --list-rich-rules | grep -E 'port="(80|443)"' | while read rule; do firewall-cmd --permanent --zone=$ZONE --remove-rich-rule "$rule" done # Cloudflare IPv4 回源网段 IPS_V4=( 103.21.224.0/20 103.22.200.0/22 103.31.4.0/22 104.16.0.0/13 104.24.0.0/14 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 185.199.108.0/22 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 ) # 逐条放行CF IPv4 80/443 for ip in "${IPS_V4[@]}"; do firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv4' source address='$ip' port port='80' protocol='tcp' accept" firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv4' source address='$ip' port port='443' protocol='tcp' accept" done # Cloudflare IPv6 回源网段 IPS_V6=( 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32 ) # 逐条放行CF IPv6 80/443 for ip in "${IPS_V6[@]}"; do firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv6' source address='$ip' port port='80' protocol='tcp' accept" firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv6' source address='$ip' port port='443' protocol='tcp' accept" done # 拼接全部IPv4网段用于反向拦截 V4_JOIN="103.21.224.0/20,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,185.199.108.0/22,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17" V6_JOIN="2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # 核心：仅非CF来源拒绝80/443，无全局端口reject，规避firewalld排序bug firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv4' invert-source=yes source address='$V4_JOIN' port port='80' protocol='tcp' reject" firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv4' invert-source=yes source address='$V4_JOIN' port port='443' protocol='tcp' reject" firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv6' invert-source=yes source address='$V6_JOIN' port port='80' protocol='tcp' reject" firewall-cmd --permanent --zone=$ZONE --add-rich-rule="rule family='ipv6' invert-source=yes source address='$V6_JOIN' port port='443' protocol='tcp' reject" firewall-cmd --reload echo "[$(date)] 反向白名单规则部署完成，仅CF可访问80/443" EOF chmod +x /root/update_cf_fwlx.sh

2、执行脚本生成全新规则

/root/update_cf_fwlx.sh

执行全程不会再报priority错误。