个人中心
文章发布
退出
作者热门文章
- android - 多次调用 OnPrimaryClipChangedListener
- android - 无法更新 RecyclerView 中的 TextView 字段
- android.database.CursorIndexOutOfBoundsException : Index 0 requested, 光标大小为 0
- android - 使用 AppCompat 时,我们是否需要明确指定其 UI 组件(Spinner、EditText)颜色
26
4
有 Nginx/Varnish/SSL 高手吗?我已成功配置 CentOS7 服务器并运行 Magento 2.17。然后我决定我希望通过 SSL 运行所有内容并让 Varnish 仍然缓存页面。
因为 Varnish 不处理 SSL,所以我重新配置了 Varnish 和 Nginx 以终止 SSL。 Nginx 当前配置为监听端口 443 并将请求传递给端口 8081 上的 Varnish。然后 Varnish 应该提供查询并将其返回给监听端口 8080 的 Nginx。当我发出 HTTPS 请求时,nginx 成功传递了它到 Varnish 然后,据我从日志中可以看出,它在浏览器将其关闭并显示消息“页面未正确重定向”之前重定向了 20 次。
这可能是我没能发现的又小又蠢的东西,如果有第二双眼睛,我将不胜感激。
我的 test.com 域的 nginx test.conf 文件:
## Proxy server to terminate ssl, loop to Varnish-HTTP -> nginx-HTTPS
server {
listen 443 ssl http2;
server_name test.com;
sub_filter 'http://' 'https://';
sub_filter_once off;
## SSL CONFIGURATION
ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem;
# proxy-pass to Varnish
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_set_header X-Scheme https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Secure on;
}
}
server {
listen 8080;
server_name test.com;
access_log /var/log/nginx/access.log main if=$writelog;
error_log /var/log/nginx/error.log error;
if ($bad_client) { return 444; }
set $MAGE_ROOT /home/test/public_html;
root $MAGE_ROOT/pub;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
## Process php files (strict rule, define files to be executed)
location ~ (index|get|static|report|btNenBhQtLNu_opcache_gui|404|503)\.php$ {
try_files $uri =404;
## specific security and compatibility headers
add_header X-Config-By 'Test' always;
add_header X-Processing-Time $request_time always;
add_header X-Request-ID $request_id always;
add_header Strict-Transport-Security $hsts_header always;
add_header X-UA-Compatible 'IE=Edge,chrome=1';
add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"" always;
## php backend settings
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_keep_conn on;
# microcache
fastcgi_no_cache $no_cache;
fastcgi_cache_bypass $no_cache;
fastcgi_cache microcache;
fastcgi_cache_key $scheme|$host|search|$arg_q;
fastcgi_cache_valid 200 301 302 2h;
fastcgi_cache_use_stale updating error timeout invalid_header http_500;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# microcache
}
## Block other undefined php files, possible injections and random malware hooks.
location ~* \.php$ { return 404; }
}varnish.params 文件:
# Varnish environment configuration description. This was derived from
# the old style sysconfig/defaults settings
# Set this to 1 to make systemd reload try to switch VCL without restart.
RELOAD_VCL=1
# Main configuration file. You probably want to change it.
VARNISH_VCL_CONF=/etc/varnish/default.vcl
# Default address and port to bind to. Blank address means all IPv4
# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
# quad, or an IPv6 address in brackets.
VARNISH_LISTEN_ADDRESS=127.0.0.1
VARNISH_LISTEN_PORT=8081
# Admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
# Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret
# Backend storage specification, see Storage Types in the varnishd(5)
# man page for details.
VARNISH_STORAGE="malloc,1G"
# User and group for the varnishd worker processes
VARNISH_USER=varnish
VARNISH_GROUP=varnish
# Other options, see the man page varnishd(1)
DAEMON_OPTS="-p thread_pool_min=200 \
-p thread_pool_max=4000 \
-p thread_pool_add_delay=2 \
-p cli_timeout=25 \
-p cli_buffer=26384 \
-p syslog_cli_traffic=off \
-p feature=+esi_disable_xml_check,+esi_ignore_other_elements \
-p vcc_allow_inline_c=on \
-p timeout_linger=100"Varnish default.vcl:
vcl 4.0;
import std;
# The minimal Varnish version is 4.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'SSL-OFFLOADED: https'
backend default {
.host = "127.0.0.1";
.port = "8080";
}
acl purge {
"localhost";
"127.0.0.1";
}
sub vcl_recv {
if (req.method == "PURGE") {
if (client.ip !~ purge) {
return (synth(405, "Method not allowed"));
}
if (!req.http.X-Magento-Tags-Pattern) {
return (synth(400, "X-Magento-Tags-Pattern header required"));
}
ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
return (synth(200, "Purged"));
}
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != "DELETE") {
/* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}
# We only deal with GET and HEAD by default
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
# Bypass shopping cart, checkout and search requests
if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
return (pass);
}
# normalize url in case of leading HTTP scheme and domain
set req.url = regsub(req.url, "^http[s]?://", "");
# collect all cookies
std.collect(req.http.Cookie);
# Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
# No point in compressing these
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
set req.http.Accept-Encoding = "deflate";
} else {
# unkown algorithm
unset req.http.Accept-Encoding;
}
}
# Remove Google gclid parameters to minimize the cache objects
set req.url = regsuball(req.url,"\?gclid=[^&]+$",""); # strips when QS = "?gclid=AAA"
set req.url = regsuball(req.url,"\?gclid=[^&]+&","?"); # strips when QS = "?gclid=AAA&foo=bar"
set req.url = regsuball(req.url,"&gclid=[^&]+",""); # strips when QS = "?foo=bar&gclid=AAA" or QS = "?foo=bar&gclid=AAA&bar=baz"
# static files are always cacheable. remove SSL flag and cookie
if (req.url ~ "^/(pub/)?(media|static)/.*\.(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
unset req.http.Https;
unset req.http.SSL-OFFLOADED;
unset req.http.Cookie;
}
return (hash);
}
sub vcl_hash {
if (req.http.cookie ~ "X-Magento-Vary=") {
hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
}
# For multi site configurations to not cache each other's content
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# To make sure http users don't see ssl warning
if (req.http.SSL-OFFLOADED) {
hash_data(req.http.SSL-OFFLOADED);
}
}
sub vcl_backend_response {
if (beresp.http.content-type ~ "text") {
set beresp.do_esi = true;
}
if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
set beresp.do_gzip = true;
}
# cache only successfully responses and 404s
if (beresp.status != 200 && beresp.status != 404) {
set beresp.ttl = 0s;
set beresp.uncacheable = true;
return (deliver);
} elsif (beresp.http.Cache-Control ~ "private") {
set beresp.uncacheable = true;
set beresp.ttl = 86400s;
return (deliver);
}
if (beresp.http.X-Magento-Debug) {
set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
}
# validate if we need to cache it and prevent from setting cookie
# images, css and js are cacheable by default so we have to remove cookie also
if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
unset beresp.http.set-cookie;
if (bereq.url !~ "\.(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)(\?|$)") {
set beresp.http.Pragma = "no-cache";
set beresp.http.Expires = "-1";
set beresp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
set beresp.grace = 1m;
}
}
# If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
if (beresp.ttl <= 0s ||
beresp.http.Surrogate-control ~ "no-store" ||
(!beresp.http.Surrogate-Control && beresp.http.Vary == "*")) {
# Mark as Hit-For-Pass for the next 2 minutes
set beresp.ttl = 120s;
set beresp.uncacheable = true;
}
return (deliver);
}
sub vcl_deliver {
if (resp.http.X-Magento-Debug) {
if (resp.http.x-varnish ~ " ") {
set resp.http.X-Magento-Cache-Debug = "HIT";
} else {
set resp.http.X-Magento-Cache-Debug = "MISS";
}
} else {
unset resp.http.Age;
}
unset resp.http.X-Magento-Debug;
unset resp.http.X-Magento-Tags;
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Varnish;
unset resp.http.Via;
unset resp.http.Link;
}通过 netstat 报告端口:
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1027/php-fpm: maste
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 733/hhvm
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2721/mysqld
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 13657/redis-server
tcp 0 0 0.0.0.0:5131 0.0.0.0:* LISTEN 1412/proftpd: (acce
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 997/memcached
tcp 0 0 127.0.0.1:6380 0.0.0.0:* LISTEN 1028/redis-server 1
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 9142/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9142/nginx: master
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 9760/varnishd
tcp 0 0 127.0.0.1:11000 0.0.0.0:* LISTEN 2308/lookup-domain-
tcp 0 0 0.0.0.0:7224 0.0.0.0:* LISTEN 984/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 9142/nginx: master
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 9760/varnishd
tcp 0 0 0.0.0.0:17668 0.0.0.0:* LISTEN 2861/perl
tcp6 0 0 :::7224 :::* LISTEN 984/sshd 重定向请求的 Varnish 日志(有 20 个;这是 2 个):
* << Request >> 294986
- Begin req 294985 rxreq
- Timestamp Start: 1496891464.408694 0.000000 0.000000
- Timestamp Req: 1496891464.408694 0.000000 0.000000
- ReqStart 127.0.0.1 4702
- ReqMethod GET
- ReqURL /
- ReqProtocol HTTP/1.0
- ReqHeader X-Forwarded-For: 69.227.13.164
- ReqHeader X-Forwarded-Host: test.com
- ReqHeader Host: test.com
- ReqHeader X-Scheme: https
- ReqHeader X-Real-IP: 69.227.13.164
- ReqHeader X-Forwarded-Proto: https
- ReqHeader X-Forwarded-Port: 443
- ReqHeader X-Secure: on
- ReqHeader Connection: close
- ReqHeader User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
- ReqHeader Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- ReqHeader Accept-Language: en-US,en;q=0.5
- ReqHeader Accept-Encoding: gzip, deflate, br
- ReqHeader Cookie: PHPSESSID=344hlkmot8oi8ooop0ugnprc47
- ReqHeader DNT: 1
- ReqHeader Upgrade-Insecure-Requests: 1
- ReqUnset X-Forwarded-For: 69.227.13.164
- ReqHeader X-Forwarded-For: 69.227.13.164, 127.0.0.1
- VCL_call RECV
- ReqURL /
- ReqUnset Accept-Encoding: gzip, deflate, br
- ReqHeader Accept-Encoding: gzip
- ReqURL /
- ReqURL /
- ReqURL /
- VCL_return hash
- VCL_call HASH
- VCL_return lookup
- VCL_call MISS
- VCL_return fetch
- Link bereq 294987 fetch
- Timestamp Fetch: 1496891464.447563 0.038869 0.038869
- RespProtocol HTTP/1.1
- RespStatus 302
- RespReason Found
- RespHeader Server: nginx
- RespHeader Date: Thu, 08 Jun 2017 03:11:04 GMT
- RespHeader Content-Type: text/html; charset=UTF-8
- RespHeader Location: https://test.com/
- RespHeader Pragma: no-cache
- RespHeader Cache-Control: max-age=0, must-revalidate, no-cache, no-store
- RespHeader Expires: Wed, 08 Jun 2016 03:11:04 GMT
- RespHeader X-Magento-Debug: 1
- RespHeader X-Content-Type-Options: nosniff
- RespHeader X-XSS-Protection: 1; mode=block
- RespHeader X-Frame-Options: SAMEORIGIN
- RespHeader X-Config-By: Honey
- RespHeader X-Processing-Time: 0.039
- RespHeader X-Request-ID: ce5053ee7177817d0d8f612aff673a32
- RespHeader X-UA-Compatible: IE=Edge,chrome=1
- RespHeader Link: <http://test.com/>; rel="canonical"
- RespHeader Content-Encoding: gzip
- RespHeader Vary: Accept-Encoding
- RespHeader X-Varnish: 294986
- RespHeader Age: 0
- RespHeader Via: 1.1 varnish-v4
- VCL_call DELIVER
- RespHeader X-Magento-Cache-Debug: MISS
- RespUnset X-Magento-Debug: 1
- RespUnset Server: nginx
- RespUnset X-Varnish: 294986
- RespUnset Via: 1.1 varnish-v4
- RespUnset Link: <http://test.com/>; rel="canonical"
- VCL_return deliver
- Timestamp Process: 1496891464.447622 0.038928 0.000059
- RespHeader Content-Length: 20
- Debug "RES_MODE 2"
- RespHeader Connection: close
- Timestamp Resp: 1496891464.447669 0.038975 0.000047
- ReqAcct 540 0 540 600 20 620
- End
* << Session >> 294985
- Begin sess 0 HTTP/1
- SessOpen 127.0.0.1 4702 127.0.0.1:8081 127.0.0.1 8081 1496891464.408655 19
- Link req 294986 rxreq
- SessClose RESP_CLOSE 0.039
- End 最佳答案
看起来你有一个重定向到 https:// 因为你的后端不知道它是在 HTTPS 上服务的(并且可能你配置它是,所以它生成 https链接等)。你需要说服 Magento 它是在 HTTPS 上的,即使它看起来不是。在与 Apache 的类似设置中,我使用:
<If "-R '192.0.0.1'">
SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on
</If>
不确定 NGINX 的语法是什么,但希望这能让您走上正轨。
关于ssl - 使用 Varnish 和 Nginx 作为 SSL 终止的 Magento 2 - 无限重定向,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44426096/
26
4
0
我在 Cloudflare 的域名服务器上有一个域名 example.com。该域指向我的专用服务器的 IP 地址,该服务器运行 CentOS/WHM/cPanel。该站点可访问 - 一切都很好。 我
我正在努力将 SSL 支持添加到我们现有的应用程序中,并已开始考虑向后兼容性。 与我读过的其他帖子不同的一个特殊情况是服务器可能不一定使用 SSL 代码更新。所以我将有一个 SSL 客户端连接到一个对
我有几个 https://*.rest-service.mydomain.com。随着服务数量的增加,我觉得管理 SSL 证书的成本很高。我为 *.mydomain.com 购买了通配符证书。 新添加
我的客户要求我在他的网站上做反向 ssl。但我是这个学期的新手。谁能帮我解决这个问题。 请描述或引用如何做。 最佳答案 查看 this wiki article . In the case of se
关闭。这个问题是opinion-based .它目前不接受答案。 想改进这个问题?更新问题,以便 editing this post 可以用事实和引用来回答它. 去年关闭。 Improve this
我连接到我的网络服务器上的存储库,但是当我尝试推送我的更改时,它显示:“错误 403:需要 ssl”,但在我的存储库设置中我已经激活了 ssl 选项。 有什么建议吗? 最佳答案 当您连接到存储库时,您
抱歉,如果这听起来像是转储问题,我已经阅读了很多关于 SSL 握手和 SSL 工作原理的文章和文档。我对一件事感到困惑,如果有人能澄清我就太好了。 我知道私钥要保密。但是我已经看到通过在请求中指定私钥
随着物联网越来越主流,越来越需要从硬件发送http请求。 一个主要问题是硬件微 Controller 无法发送 ssl 请求,但大多数服务器/网站/服务都在使用 ssl。 所以,问题是,有没有桥(一个
我有一个 ssl 页面,它还从非 ssl 站点下载头像。我能做些什么来隔离该内容,以便浏览器不会警告用户混合内容吗? 最佳答案 只是一个想法 - 或者: 尝试在头像网站上使用 ssl url,如有必要
我在 Digital Ocean droplet(使用 nginx)上设置了两个域。我已经在其中一个(domain1)中安装了一个 SSL 证书,并且那个证书一切正常。第二个域 (domain2) 不
我收到这个错误: Error frontend: 502 Bad gateway 99.110.244:443 2017/09/28 13:03:51 [error] 34080#34080: *10
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 这个问题似乎与 help center 中定义的范围内的编程无关。 . 关闭 6 年前。 Improve
我遇到了一个问题,我正在构建一个 nginx 反向代理以定向到不同 url 路径上的多个微服务。 该系统完全基于 docker,因此开发和生产使用相同的环境。这在安装 SSL 时给我带来了问题,因为
所以我知道要求 SSL 证书和接受之间的根本区别,一个意味着您必须拥有 SSL 证书,另一个意味着您不需要。 在某个网页的 IIS 管理器中,我有以下设置: 我遇到的问题是,当我设置需要 SSL 证书
我今天才发现 .app 域名需要 SSL 证书。我购买它是为了将 DNS 重定向到已经设置了 SSL 证书的站点,所以我的问题是是否可以设置它? 我正在使用 Google Domains,在将合成临时
堆栈 : react ,NGINX 1.14.0,GUnicorn,Django 2.2.8,Python 3.6.9 错误 : 在浏览器:当 React 调用 Django API(当然是在请求头中
假设我在计算机上编辑主机文件以使 google.com 指向我的 VPS 服务器 IP,并且服务器具有通过 Apache 或 Nginx 配置的 google.com 的虚拟主机/服务器 block
我有一个场景,我正在处理用于 URL 路由的 IIS 网站配置。我已添加网站并在服务器上导入所需的证书。 我的情况是(我有多个网站 URL 和两个 SSL 证书 - 如下所示): qatest1.ab
我知道服务器发送的证书无法伪造(仍然存在 MD5 冲突,但成本高昂),但是伪造客户端又如何呢?在中间人攻击中:我们不能告诉服务器我们是合法客户端并从该服务器获取数据并对其进行操作,然后使用合法客户端公
我已通读相关问题,但无法完全找到我要查找的内容。我设置了一个名为“domain.com”的域,并创建了两个子域“client.domain.com”和“client-intern.domain.com
我是一名优秀的程序员,十分优秀!