我最近把一个opencart实例从Apache + mod_php切换到了nginx + fastcgi + php-fpm。 我一直试图通过fastcgi-cachecaching大多数页面。
不幸的是,许多用户开始报告鬼命令或接pipe其他帐户(weeee !!!!)从彻底挖掘,似乎页面被caching与set-cookie! 因此,没有发送预先存在的会话cookie的后续用户正在获取caching启动器的会话cookie。 坏!
根据所有的文件那里,下面的设置应该是防止这种情况发生(至less我的理解:)
fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; 当我通过单个caching看,我注意到几个页面与set-cookie:[somerandomsessionid]根据fastcgi_cache_valid下的nginx文档…
如果头部包含“Set-Cookie”字段,则不会caching这样的响应。
通过包含Set-Cookie与fastcgi_ignore_headers,我告诉它cachingset-cookie? 在许多例子中, Set-Cookie是fastcgi_ignore_headers参数的一部分。 还是应该防止Set-Cookie被处理,即使它明显在caching文件中?
以下是我的configuration的相关部分:
fastcgi_next_upstream error timeout invalid_header http_500 http_503; fastcgi_cache OPENCART; fastcgi_cache_bypass $no_cache; fastcgi_no_cache $no_cache; fastcgi_cache_purge $purge_method; fastcgi_cache_methods GET HEAD; fastcgi_cache_valid 200 5m; fastcgi_cache_use_stale error timeout invalid_header http_500; fastcgi_pass_header Set-Cookie; #fastcgi_hide_header Set-Cookie; fastcgi_pass_header Cookie; fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
################## Fast CGI Cache Settings # if we find a PHP session cookie, let's cache it's contents map $http_cookie $php_session_cookie { default ""; ~PHPSESSID=(?<sessionkey>[a-zA-Z0-9]+) $sessionkey; # PHP session cookie } fastcgi_cache_path /var/nginx/cache levels=1:2 keys_zone=OPENCART:5m max_size=10000m inactive=15m; fastcgi_cache_key "$scheme$request_method$host$request_uri$is_mobile$php_session_cookie"; map $request_method $purge_method { PURGE 1; default 0; } ################## Cache Header add_header X-Cache $upstream_cache_status; ################## Cache Bypass Maps #Don't cache the following URLs map $request_uri $no_cache_uri { default 0; ~*/admin/ 1; ~*/dl/ 1; } # ~*/music/mp3_[^/]+/[0-9]+/.+$ 1; map $query_string $no_cache_query { default 0; ~*route=module/cart$ 1; ~*route=account/ 1; #exclude account links ~*route=checkout/ 1; #exclude checkout links ~*route=module/founders 1; ~*route=module/cart 1; ~*route=product/product/captcha 1; ~*nocache=1 1; # exclude ajax blocks and provide for manual cache override } map $http_cookie $no_cache_cookie { default 0; } map $http_x_requested_with $no_cache_ajax { default 0; XMLHttpRequest 1; # Don't cache AJAX } map $sent_http_x_no_cache $no_no_cache { default 0; on 1; # Don't cache generic header when present and set to "on" } ## Combine all results to get the cache bypass mapping. map $no_cache_uri$no_cache_query$no_cache_cookie$no_cache_ajax$no_no_cache $no_cache { default 1; 00000 0; }
session.auto_start = 1 session.cache_expire = 180 session.cache_limiter = nocache session.cookie_lifetime = 0 session.cookie_path = / session.cookie_secure = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 3600 session.gc_probability = 0 session.hash_function = "sha256" session.name = PHPSESSID session.serialize_handler = php session.use_cookies = 1 session.use_only_cookies = 1 session.use_strict_mode = 1 session.use_trans_sid = 0
Opencart使用session_start()在每个页面加载,所以绕过PHP会议大部分没有好处。 如果有一种方法可以防止Set-Cookie头部在caching中结束,这可能适用于我。
任何人都可以指向正确的方向吗?