我正在尝试在我们现有设置上部署新的 Wordpress(使用 Docker 中的 Apache2)单页程序。
在 LB 正下方,我们有一个 Nginx 服务器,它终止 SSL 并通过 Haproxy 将普通的 HTTP 请求代理到 Apache2 后端。
在该设置下,一切运行正常。
但是现在我们通过 Haproxy 将所有子域连同 /login 页面路由到旧应用程序,方式与以前相同,并将其他所有内容发送到我们的 Wordpress 服务器(也通过反向代理发送到其自己的 Apache2)。目标是仅由我们的 Wordpress 容器提供主页和 WP 资源,并从所有子域 + 其 /login 页面为旧应用程序提供服务。
子域路由工作正常,我们正在访问应用程序。问题在于 Wordpress 页面,它部分通过 HTTP 加载内容(因此显示混合内容),并且我们无法访问它的 /wp-admin 页面(进入无限循环)。
配置如下:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
server {
listen 80;
listen [::]:80;
server_name website.info www.website.info;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl spdy;
listen [::]:443 ssl;
server_name website.info www.website.info;
root /var/www/htdocs/;
ssl_certificate /usr/local/ssl.crt;
ssl_certificate_key /usr/local/website.com.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /usr/local/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/ssl.crt;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
location / {
index index.php
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 75s;
proxy_redirect off;
proxy_pass http://172.16.11.11/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_pass_header Server;
}
location /login {
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 75s;
proxy_redirect off;
proxy_pass http://127.0.0.1:3214/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_pass_header Server;
}
location /wp-admin/ {
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 75s;
proxy_redirect off;
proxy_pass http://172.16.11.11/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_pass_header Server;
}
}
server {
listen 443 default ssl spdy;
listen [::]:443 ssl;
server_name *.website.info;
root /var/www/htdocs;
ssl_certificate /usr/local/chain1.pem;
ssl_certificate_key /usr/local/key1.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_dhparam /usr/local/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/sslcert/ssl-unified.crt;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
location /public/ {
expires max;
add_header Pragma public;
add_header Cache-Control "public";
}
location / {
index index.php
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 75s;
proxy_redirect off;
proxy_pass http://127.0.0.1:3214/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_pass_header Server;
}
location ~ /\.ht {
deny all;
}
}
在这一点上,我认为我忽略了一些琐碎的事情,并希望其他人能够从另一个角度来审视这个问题。
答案1
您似乎正在将 发送/至/wp-admin/的根部http://172.16.11.11/。
如果你想发送/至http://172.16.11.11/
并/wp-admin/http://172.16.11.11/wp-admin/
您需要调整指令。和 的尾部proxy_pass都会导致重写 URI。请参阅/locationproxy_passnginx这个文件了解详情。
我建议您在 WordPress 实例的情况下需要一个透明的反向代理,在这种情况下:
proxy_pass http://172.16.11.11;
对于两个location区块来说就足够了。