我花了好几天的时间试图弄清楚我做错了什么。
DNS 指向 VPS 上的 VPS 我有带 SSL 终止的 nginx 反向代理,可将请求转发到主服务器上的主服务器 我有不带 SSL 的 nginx,安装了 Wordpress(它是来自其他域上的同一页面的镜像,这是一个镜像页面,因此我将人们重定向到新服务器)
当我在浏览器中输入 URL 时,我立即看到网站损坏并且由于混合内容和 CORS 而请求被阻止。
我肯定做错了什么,而 nginx 只是按照我告诉他的做,但我不知道我哪里犯了错误。
server {
listen 80;
listen [::]:80;
server_name mypage.dns;
# rewrite ^(.*) https://$host$1 permanent;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mypage.dns;
location / {
add_header X-Served-By $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Ssl https;
# proxy_set_header X-Url-Scheme https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Proxy "";
proxy_pass http://172.16.100.100;
proxy_redirect off;
# proxy_redirect http://172.16.100.100/ https://$host/;
# proxy_pass_request_headers on;
}
ssl_certificate /etc/letsencrypt/live/mypage.dns/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mypage.dns/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
接下来我将使用之前作为独立 www 工作的配置 - 并且我希望它能够作为原始页面的镜像工作。
type here
服务器 { 监听 80 默认服务器; 监听 [::]:80 默认服务器; 服务器名称 mypage.dns; keepalive_timeout 10; keepalive_disable msie6; keepalive_requests 200;
include snippets/csp.conf;
location / {
#add_header X-Forwarded-Proto https;
gzip on;
gzip_static on;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
#add_header X-Forwarded-Proto https;
include fastcgi_params;
fastcgi_intercept_errors on;
gzip on;
fastcgi_cache MYPAGE;
fastcgi_cache_valid 200 301 302 10h;
fastcgi_cache_valid 404 5m;
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
fastcgi_cache_lock on;
fastcgi_cache_lock_age 5s;
fastcgi_cache_lock_timeout 5s;
fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
fastcgi_cache_min_uses 1;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
add_header X-Cache-Status $upstream_cache_status;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 600s;
fastcgi_pass unix:/var/www/mypage.dns/php/php-mypage.sock;
}
location ~* .(webp|avif|webm|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
sendfile on;
sendfile_max_chunk 1m;
tcp_nopush on;
expires max;
log_not_found off;
access_log off;
include snippets/csp.conf;
add_header Cache-Control public;
open_file_cache max=10000 inactive=12h;
open_file_cache_valid 5m;
open_file_cache_min_uses 1;
open_file_cache_errors off;
}
}
还有 snippet/csp.conf
set $cors_origin "";
set $cors_cred "";
set $cors_header "";
set $cors_method "";
if ($http_origin ~ '^https?://(mypage\.dns|cdn\.mypage\.dns|otherpage\.dns)$') {
set $cors_origin $http_origin;
set $cors_cred true;
set $cors_header $http_access_control_request_headers;
set $cors_method $http_access_control_request_method;
}
add_header Access-Control-Allow-Origin $cors_origin;
add_header Access-Control-Allow-Credentials $cors_cred;
add_header Access-Control-Allow-Headers $cors_header;
add_header Access-Control-Allow-Methods $cors_method;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";
还有我从 wordpress 在 wp-config.php 中添加的代码。
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS'] = 'on';
}
}
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] );
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] );
看着它,觉得有道理,每个教程/安装指南/知识都告诉我只将标题添加到反向代理中,在 wp-config 中添加或不添加一些行就可以了。
我正在使用隐身模式使用 curl / 浏览器进行检查
每次我尝试使用 curl: curl -H 'Pragma: no-cache'https://mypage.dns 我发现源代码中的 http 没有根据 PROTO/SCHEMA 更改为 https。
我了解我是:客户端<---- ssl/443 ---> 反向代理<---- http/80 ----> nginx wordpress 因此 wordpress 看到 http,但据我了解,它应该被 $_SERVER['HTTPS'] = 'on' 覆盖,即使使用 if 逻辑并且仅使用:$_SERVER['HTTPS'] = 'on'
我没有看到源代码中的任何变化,据我了解,这是我遇到的主要问题。
我尝试添加或编辑 nginx confs、强制 ssl 的 wp-config、一些“神奇”或非直观的代理参数......
我尝试了 stackoverflow 推荐的帖子
我希望通过反向代理成功运行该页面,并且不会出现混合内容/csp 错误。
我唯一注意到的是,当我尝试访问https://mypage.dns/wp-admin/它被重定向到镜像所组成的原始页面 url - 这是其他问题(可能是 sql 替换或 url?)。
编辑:
我打印出来的$_SERVER
结果是这样的:
[USER] => www-data
[HOME] => /var/www
[HTTP_COOKIE] => sockem_cookie=d60e502ce4; _ga_5EEYGXVFRX=GS1.1.1709040937.2.1.1709043327.0.0.0; _ga=GA1.1.1067912476.1709025588; _ga_FW712V8LBG=GS1.1.1709040937.2.1.1709043327.55.0.0; _pk_id.11.90a2=5501b80dee4dc1cf.1709025588.; _pin_unauth=dWlkPU1EVmlZVEJpTmpndE1UZGpZUzAwTlRNNUxUaGpZMkl0TjJNd1ltSm1aak5tWkRNdw; _pk_ses.11.90a2=1
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_PRAGMA] => no-cache
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => pl,en-US;q=0.7,en;q=0.3
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
[HTTP_CONNECTION] => close
[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_FORWARDED_FOR] => <HOME_IP>
[HTTP_X_REAL_IP] => <HOME_IP>
[HTTP_X_FORWARDED_HOST] => mypage.dns
[HTTP_HOST] => mypage.dns
[SCRIPT_FILENAME] => /var/www/mypage.dns/web/index.php
[REDIRECT_STATUS] => 200
[SERVER_NAME] => oldmypage.dns
[SERVER_PORT] => 80
[SERVER_ADDR] => 172.16.100.100
[REMOTE_USER] =>
[REMOTE_PORT] => 46954
[REMOTE_ADDR] => 172.16.100.1
[SERVER_SOFTWARE] => nginx/1.22.1
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.0
[DOCUMENT_ROOT] => /var/www/mypage.dns/web
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /?test=1
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] =>
[CONTENT_TYPE] =>
[REQUEST_METHOD] => GET
[QUERY_STRING] => test=1
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1709043327.0155
[REQUEST_TIME] => 1709043327
[HTTPS] => on
答案1
fastcgi_cache
对于任何人(可能是几年后的那个人,或者更可能是未来的我),我启用了 fastcgi_cache,以便通过 php 生成的 wordpress 页面被缓存并快速传送......
因此,测试某些东西是否正常工作的最佳方式是禁用任何缓存机制。
总结:在测试任何更改之前关闭缓存。