服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx反向代理和wordpress
Intereting Posts
PHP比它应该慢 来自IMAP服务器的问候语 – 格式? 如何在gcloud命令中禁用更新通知? 用BIND 9我怎么能匹配客户端在多个视图? Linux重命名VLAN标记接口 – 路由坚持从旧的 ESXI升级remotley DHCP范围从194.77.30开始。 那会导致问题吗? 使Duplicity列表文件被备份? 计算机如何通过DHCP获取IP地址? Apache,SSL客户端证书,LDAP授权 IIS SMTP和TLS 1.2 战斗垃圾邮件 – 我可以做什么:电子邮件pipe理员,域名所有者或用户? 心跳没有采取其资源 从http请求中删除apache信息 未findPHP5-FPM / var / run / php5-fpm /目录

Nginx反向代理和wordpress

一切运作良好,但我在扩展页面时遇到与WordPress的问题。

问题是,没有图片显示每个插件,当我点击巫婆插件的图片,我想要安装其打开窗户,但不显示图案,只是无限加载…但是,当我点击“安装button“,它安装好插件

你可以看这个图像看看会发生什么

发出Wordpress

这里的configuration:

configuration

这里的networking服务器configuration:

前端Nginx 

server { listen 443 ssl; # SSL ssl on; ssl_certificate /etc/ssl/nginx/nginx.crt; ssl_certificate_key /etc/ssl/nginx/nginx.key; ssl_session_cache shared:SSL:40m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; server_name domaine.tld; # Proxy Pass to Varnish and Add headers to recognize SSL location / { proxy_pass http://127.0.0.1:80; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port 443; proxy_set_header X-Secure on; } }

后端Nginx 

 server { listen 8000; server_name domaine.tld; root /var/www/domaine; index index.php; # Custom Error Page error_page 404 403 /page_error/404.html; # Log access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location / { try_files $uri $uri/ /index.php?$args; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; } # PHP-FPM location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_param HTTPS on; } }

清漆默认 

 DAEMON_OPTS="-a :80 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,256m"

清漆VCL 4.0 

 backend default { .host = "127.0.0.1"; .port = "8000"; .connect_timeout = 600s; .first_byte_timeout = 600s; .between_bytes_timeout = 600s; .max_connections = 800; } # Only allow purging from specific IPs acl purge { "localhost"; "127.0.0.1"; } # This function is used when a request is send by a HTTP client (Browser) sub vcl_recv { # Redirect to https if ( (req.http.host ~ "^(?i)www.domaine.tld" || req.http.host ~ "^(?i)domaine.tld") && req.http.X-Forwarded-Proto !~ "(?i)https") { return (synth(750, "")); } # Normalize the header, remove the port (in case you're testing this on various TCP ports) set req.http.Host = regsub(req.http.Host, ":[0-9]+", ""); # Allow purging from ACL if (req.method == "PURGE") { # If not allowed then a error 405 is returned if (!client.ip ~ purge) { return(synth(405, "This IP is not allowed to send PURGE requests.")); } # If allowed, do a cache_lookup -> vlc_hit() or vlc_miss() return (purge); } # Post requests will not be cached if (req.http.Authorization || req.method == "POST") { return (pass); } # Did not cache .ht* file if ( req.url ~ ".*htaccess.*" ) { return(pass); } if ( req.url ~ ".*htpasswd.*" ) { return(pass); } # Don't cache phpmyadmin if ( req.url ~ "/nothingtodo" ) { return(pass); } # --- WordPress specific configuration # Did not cache the RSS feed if (req.url ~ "/feed") { return (pass); } # Don't cache 404 error if (req.url ~ "^/404") { return (pass); } # Blitz hack if (req.url ~ "/mu-.*") { return (pass); } # Did not cache the admin and login pages if (req.url ~ "/wp-(login|admin)") { return (pass); } # Do not cache the WooCommerce pages ### REMOVE IT IF YOU DO NOT USE WOOCOMMERCE ### if (req.url ~ "/(cart|my-account|checkout|addons|/?add-to-cart=)") { return (pass); } # First remove the Google Analytics added parameters, useless for our backend if(req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=") { set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", ""); set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "?"); set req.url = regsub(req.url, "\?&", "?"); set req.url = regsub(req.url, "\?$", ""); } # Remove the "has_js" cookie set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", ""); # Remove any Google Analytics based cookies set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", ""); # Remove the Quant Capital cookies (added by some plugin, all __qca) set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", ""); # Remove the wp-settings-1 cookie set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", ""); # Remove the wp-settings-time-1 cookie set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", ""); # Remove the wp test cookie set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", ""); # remove cookies for comments cookie to make caching better. set req.http.cookie = regsub(req.http.cookie, "dcd9527364a17bb2ae97db0ead3110ed=[^;]+(; )?", ""); # remove ?ver=xxxxx strings from urls so css and js files are cached. set req.url = regsub(req.url, "\?ver=.*$", ""); # Remove "replytocom" from requests to make caching better. set req.url = regsub(req.url, "\?replytocom=.*$", ""); # Strip hash, server doesn't need it. set req.url = regsub(req.url, "\#.*$", ""); # Strip trailing ? set req.url = regsub(req.url, "\?$", ""); # Are there cookies left with only spaces or that are empty? if (req.http.cookie ~ "^ *$") { unset req.http.cookie; } # Drop any cookies sent to WordPress. if (!(req.url ~ "wp-(login|admin)")) { unset req.http.cookie; } # Cache the following files extensions if (req.url ~ "\.(css|js|png|gif|jp(e)?g|swf|ico)") { unset req.http.cookie; } # Normalize Accept-Encoding header and compression # https://www.varnish-cache.org/docs/3.0/tutorial/vary.html if (req.http.Accept-Encoding) { # Do no compress compressed files... if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") { unset req.http.Accept-Encoding; } elsif (req.http.Accept-Encoding ~ "gzip") { set req.http.Accept-Encoding = "gzip"; } elsif (req.http.Accept-Encoding ~ "deflate") { set req.http.Accept-Encoding = "deflate"; } else { unset req.http.Accept-Encoding; } } # Check the cookies for wordpress-specific items if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") { return (pass); } if (!req.http.cookie) { unset req.http.cookie; } # --- End of WordPress specific configuration # No cache for big video files if (req.url ~ "\.(avi|mp4)") { return (pass); } # Did not cache HTTP authentication and HTTP Cookie if (req.http.Authorization || req.http.Cookie) { # Not cacheable by default return (pass); } # Cache all others requests return (hash); } sub vcl_pipe { # Note that only the first request to the backend will have # X-Forwarded-For set. If you use X-Forwarded-For and want to # have it set for all requests, make sure to have: # set bereq.http.connection = "close"; # here. It is not set by default as it might break some broken web # applications, like IIS with NTLM authentication. #set bereq.http.Connection = "Close"; return (pipe); } sub vcl_pass { return (fetch); } sub vcl_synth { if (resp.status == 750) { set resp.status = 301; set resp.http.Location = "https://www.paris-vendome.com" + req.url; return(deliver); } } # The data on which the hashing will take place sub vcl_hash { hash_data(req.url); if (req.http.host) { hash_data(req.http.host); } else { hash_data(server.ip); } # hash cookies for requests that have them if (req.http.Cookie) { hash_data(req.http.Cookie); } # If the client supports compression, keep that in a different cache if (req.http.Accept-Encoding) { hash_data(req.http.Accept-Encoding); } return (lookup); } # This function is used when a request is sent by our backend (Nginx server) sub vcl_backend_response { # Remove some headers we never want to see unset beresp.http.Server; unset beresp.http.X-Powered-By; # For static content strip all backend cookies if (bereq.url ~ "\.(css|js|png|gif|jp(e?)g)|swf|ico") { unset beresp.http.cookie; } # Only allow cookies to be set if we're in admin area if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)") { unset beresp.http.Set-Cookie; } # don't cache response to posted requests or those with basic auth if ( bereq.method == "POST" || bereq.http.Authorization ) { set beresp.uncacheable = true; set beresp.ttl = 120s; return (deliver); } # don't cache search results if ( bereq.url ~ "\?s=" ){ set beresp.uncacheable = true; set beresp.ttl = 120s; return (deliver); } # only cache status ok if ( beresp.status != 200 ) { set beresp.uncacheable = true; set beresp.ttl = 120s; return (deliver); } # A TTL of 24h set beresp.ttl = 24h; # Define the default grace period to serve cached content set beresp.grace = 30s; return (deliver); } # The routine when we deliver the HTTP request to the user # Last chance to modify headers that are sent to the client sub vcl_deliver { if (obj.hits > 0) { set resp.http.X-Cache = "cached"; } else { set resp.http.x-Cache = "uncached"; } # Remove some headers: PHP version unset resp.http.X-Powered-By; # Remove some headers: Apache version & OS unset resp.http.Server; # Remove some headers: Varnish unset resp.http.Via; unset resp.http.X-Varnish; unset resp.http.Age; unset resp.http.Link; return (deliver); } sub vcl_hit { return (deliver); } sub vcl_miss { return (fetch); } sub vcl_init { return (ok); } sub vcl_fini { return (ok); }

我认为问题不是关于清漆,而是关于后端,因为当我testing这个configuration(没有清漆/没有后端)时,所有的东西都没有问题: 

 server { listen 80; server_name domaine.tld; return 301 https://www.domaine.tld$request_uri; } server{ listen 443; ssl on; ssl_certificate /etc/ssl/nginx/nginx.crt; ssl_certificate_key /etc/ssl/nginx/nginx.key; ssl_session_timeout 10m; root /var/www/domaine; index index.htm index.html index.php; server_name domaine.tld; server_tokens off; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; error_page 404 403 /page_error/404.html; error_page 500 502 503 504 /page_error/50x.html; gzip on; etag off; location / { try_files $uri $uri/ =404; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_param HTTPS on; } }

如果我想念或者你想要更多的信息,不要犹豫。 对不起,大后,但我有点绝望。 希望有人会帮助我提前致谢

回答你的评论:

解决:我不知道为什么,但是这是add_header Content-Security-Policy 。 我只是从http集团中删除它,现在everyhtings工作很好! 瞧

proxy_pass指令(位于Varnish location块内)将请求传递给(内部主机)networking中的upstream服务器。 这意味着你已经不在Nginx服务器上了,但是在Varnish服务器上,监听networking中的端口9000。 当你现在定义一个Content-Security-Policy并且不允许访问你自己的networking时,当你的服务器成为过度保护的父节点时 ,你将被locking。

CSP不是盲目地信任服务器提供的所有内容,而是定义Content-Security-Policy HTTP头 ,允许您创build受信任内容源的白名单,并指示浏览器仅执行或呈现来自这些源的资源。 即使攻击者可以find一个漏洞来注入脚本,脚本也不会匹配白名单,因此不会被执行。

由于我们信任apis.google.com提供有效的代码,并且我们相信自己也这样做,所以让我们定义一个策略,只允许脚本在来自以下两个来源之一时执行: 

 Content-Security-Policy: script-src 'self' https://apis.google.com

…正如你可能猜到的那样, script-src是一个控制特定页面的一组脚本相关权限的指令。 我们将'self'指定为脚本的有效来源,并将https://apis.google.com指定为另一个有效来源。 浏览器将通过HTTPS从apis.google.com以及当前页面的源头下载并执行JavaScript。

引用来源: HTML5Rocks