代理转发在 Nginx、Laravel、弹性负载均衡器上不起作用

tag-icon tag-icon nginx amazon-elb laravel
代理转发在 Nginx、Laravel、弹性负载均衡器上不起作用

我有一个 AWS Elastic Load Balancer,它接收域(bunny.misite.dev)的 https 请求,这些请求通过 http 发送到服务器 Nginx,然后 Laravel App 回答这些请求。

我遇到的问题是 Laravel 没有将请求识别为 Https 而是将请求识别为 http。

为了解决这个问题 Laravel 提供了一个“可信代理”中间件我使用过:

<?php

namespace App\Http\Middleware;

use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Request;

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = '*';

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_FOR |
        Request::HEADER_X_FORWARDED_HOST |
        Request::HEADER_X_FORWARDED_PORT |
        Request::HEADER_X_FORWARDED_PROTO |
        Request::HEADER_X_FORWARDED_AWS_ELB;
}

我的 nginx 配置是

server {
    listen                  80 ;
    listen                  [::]:80 ;

    server_name             bunny.misite.dev;
    server_tokens           off;
    error_log               /home/main/logs/nginx/bunny-master_error.log;
    access_log              /home/main/logs/nginx/bunny-master_access.log main buffer=16k;
    access_log              /var/log/nginx-rc/bunny-master_traffic.log traffic;

    client_max_body_size    256m;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    root /home/main/webapps/bunny-master/live/public;
    index index.php index.html index.htm;

    location / {
        
        proxy_send_timeout         60;
        proxy_read_timeout         60;
        proxy_buffer_size          128k;
        proxy_buffers              4 256k;
        proxy_busy_buffers_size    256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout       30s;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Server-Addr $server_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;

        proxy_pass http://backend;
    }

    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    location = /favicon.ico {
        log_not_found off;
    }

    location @proxy {
        proxy_send_timeout         60;
        proxy_read_timeout         60;
        proxy_buffer_size          128k;
        proxy_buffers              4 256k;
        proxy_busy_buffers_size    256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout       30s;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Server-Addr $server_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://backend;
    }
}

答案1

Laravel >= 5.5 已经使用fideloper/TrustedProxies,因此应该尊重X-Forwarded-Proto标头来决定客户端请求是使用 HTTP 还是 HTTPS。

您的 nginx 配置仍然指定X-Forwarded-Proto为,http因为:

  1. 您指定proxy_set_header X-Forwarded-Proto$scheme,这是客户端请求时 AWS ELB 使用的 URL 方案,并且
  2. nginx 仅接收来自 AWS ELB 的 HTTP 请求,而不是 HTTPS。

要解决此问题,您可以:

  • 配置 nginx 以接收 HTTPS 请求,或
  • 将您的设置proxy_set_header X-Forwarded-Proto$http_x_forwarded_proto。AWS ELB应该发送 X-Forwarded-Proto执行转发请求时从客户端到 nginx 的请求标头。如果您确定 AWS ELB 将始终仅转发 HTTPS 请求,您甚至可以设置proxy_set_header X-Forwarded-Protohttps

相关内容