来自(VPS)nginx 反向代理和终止 SSL 以及(HOME)nginx wordpress 的混合内容/CSP 问题

来自(VPS)nginx 反向代理和终止 SSL 以及(HOME)nginx wordpress 的混合内容/CSP 问题

我花了好几天的时间试图弄清楚我做错了什么。

DNS 指向 VPS 上的 VPS 我有带 SSL 终止的 nginx 反向代理,可将请求转发到主服务器上的主服务器 我有不带 SSL 的 nginx,安装了 Wordpress(它是来自其他域上的同一页面的镜像,这是一个镜像页面,因此我将人们重定向到新服务器)

当我在浏览器中输入 URL 时,我立即看到网站损坏并且由于混合内容和 CORS 而请求被阻止。

我肯定做错了什么,而 nginx 只是按照我告诉他的做,但我不知道我哪里犯了错误。

server {
        listen 80;
        listen [::]:80;

        server_name mypage.dns;
        # rewrite ^(.*) https://$host$1 permanent;
        return 301 https://$host$request_uri; 
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name     mypage.dns;

        location / {
                add_header X-Served-By $host;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
                # proxy_set_header X-Forwarded-Ssl https;
                # proxy_set_header X-Url-Scheme https;
                proxy_set_header X-Forwarded-Port 443;
                proxy_set_header Proxy "";
                proxy_pass         http://172.16.100.100;
                proxy_redirect off;
                # proxy_redirect http://172.16.100.100/ https://$host/;
                # proxy_pass_request_headers      on;

        }
        ssl_certificate /etc/letsencrypt/live/mypage.dns/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/mypage.dns/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

接下来我将使用之前作为独立 www 工作的配置 - 并且我希望它能够作为原始页面的镜像工作。

type here

服务器 { 监听 80 默认服务器; 监听 [::]:80 默认服务器; 服务器名称 mypage.dns; keepalive_timeout 10; keepalive_disable msie6; keepalive_requests 200;

    include snippets/csp.conf;

    location / {
            #add_header X-Forwarded-Proto https;
            gzip on;
            gzip_static on;
            try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
            #add_header X-Forwarded-Proto https;

            include fastcgi_params;
            fastcgi_intercept_errors on;

            gzip on;

            fastcgi_cache MYPAGE;
            fastcgi_cache_valid 200 301 302 10h;
            fastcgi_cache_valid 404 5m;
            fastcgi_cache_bypass $no_cache;
            fastcgi_no_cache $no_cache;
            fastcgi_cache_lock on;
            fastcgi_cache_lock_age 5s;
            fastcgi_cache_lock_timeout 5s;
            fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
            fastcgi_cache_min_uses 1;

            fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
            add_header X-Cache-Status $upstream_cache_status;

            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

            fastcgi_read_timeout 600s;
            fastcgi_pass unix:/var/www/mypage.dns/php/php-mypage.sock;
    }
    location ~* .(webp|avif|webm|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            sendfile           on;
            sendfile_max_chunk 1m;
            tcp_nopush on;
            expires max;
            log_not_found off;
            access_log off;

            include snippets/csp.conf;
            add_header Cache-Control public;
            open_file_cache                 max=10000 inactive=12h;
            open_file_cache_valid           5m;
            open_file_cache_min_uses        1;
            open_file_cache_errors          off;
    }

}

还有 snippet/csp.conf

set $cors_origin "";
set $cors_cred   "";
set $cors_header "";
set $cors_method "";

if ($http_origin ~ '^https?://(mypage\.dns|cdn\.mypage\.dns|otherpage\.dns)$') {
        set $cors_origin $http_origin;
        set $cors_cred   true;
        set $cors_header $http_access_control_request_headers;
        set $cors_method $http_access_control_request_method;
}

add_header Access-Control-Allow-Origin      $cors_origin;
add_header Access-Control-Allow-Credentials $cors_cred;
add_header Access-Control-Allow-Headers     $cors_header;
add_header Access-Control-Allow-Methods     $cors_method;

add_header X-Frame-Options "SAMEORIGIN";

add_header X-XSS-Protection "1; mode=block";

add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";


还有我从 wordpress 在 wp-config.php 中添加的代码。

if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
        $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
    if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
        $_SERVER['HTTPS'] = 'on';
    }
}

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] );
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] );

看着它,觉得有道理,每个教程/安装指南/知识都告诉我只将标题添加到反向代理中,在 wp-config 中添加或不添加一些行就可以了。

我正在使用隐身模式使用 curl / 浏览器进行检查

每次我尝试使用 curl: curl -H 'Pragma: no-cache'https://mypage.dns 我发现源代码中的 http 没有根据 PROTO/SCHEMA 更改为 https。

我了解我是:客户端<---- ssl/443 ---> 反向代理<---- http/80 ----> nginx wordpress 因此 wordpress 看到 http,但据我了解,它应该被 $_SERVER['HTTPS'] = 'on' 覆盖,即使使用 if 逻辑并且仅使用:$_SERVER['HTTPS'] = 'on'我没有看到源代码中的任何变化,据我了解,这是我遇到的主要问题。

我尝试添加或编辑 nginx confs、强制 ssl 的 wp-config、一些“神奇”或非直观的代理参数......

我尝试了 stackoverflow 推荐的帖子

我希望通过反向代理成功运行该页面,并且不会出现混合内容/csp 错误。

我唯一注意到的是,当我尝试访问https://mypage.dns/wp-admin/它被重定向到镜像所组成的原始页面 url - 这是其他问题(可能是 sql 替换或 url?)。

编辑:

我打印出来的$_SERVER结果是这样的:

[USER] => www-data
[HOME] => /var/www
[HTTP_COOKIE] => sockem_cookie=d60e502ce4; _ga_5EEYGXVFRX=GS1.1.1709040937.2.1.1709043327.0.0.0; _ga=GA1.1.1067912476.1709025588; _ga_FW712V8LBG=GS1.1.1709040937.2.1.1709043327.55.0.0; _pk_id.11.90a2=5501b80dee4dc1cf.1709025588.; _pin_unauth=dWlkPU1EVmlZVEJpTmpndE1UZGpZUzAwTlRNNUxUaGpZMkl0TjJNd1ltSm1aak5tWkRNdw; _pk_ses.11.90a2=1
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_PRAGMA] => no-cache
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => pl,en-US;q=0.7,en;q=0.3
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
[HTTP_CONNECTION] => close
[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_FORWARDED_FOR] => <HOME_IP>
[HTTP_X_REAL_IP] => <HOME_IP>
[HTTP_X_FORWARDED_HOST] => mypage.dns
[HTTP_HOST] => mypage.dns
[SCRIPT_FILENAME] => /var/www/mypage.dns/web/index.php
[REDIRECT_STATUS] => 200
[SERVER_NAME] => oldmypage.dns
[SERVER_PORT] => 80
[SERVER_ADDR] => 172.16.100.100
[REMOTE_USER] => 
[REMOTE_PORT] => 46954
[REMOTE_ADDR] => 172.16.100.1
[SERVER_SOFTWARE] => nginx/1.22.1
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.0
[DOCUMENT_ROOT] => /var/www/mypage.dns/web
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /?test=1
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] => 
[CONTENT_TYPE] => 
[REQUEST_METHOD] => GET
[QUERY_STRING] => test=1
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1709043327.0155
[REQUEST_TIME] => 1709043327
[HTTPS] => on

答案1

fastcgi_cache

对于任何人(可能是几年后的那个人,或者更可能是未来的我),我启用了 fastcgi_cache,以便通过 php 生成的 wordpress 页面被缓存并快速传送......

因此,测试某些东西是否正常工作的最佳方式是禁用任何缓存机制。

总结:在测试任何更改之前关闭缓存。

相关内容