Назад | Перейти на главную страницу

Конфигурация Nginx Varnish 4.0 SSL Wordpress перенаправляет mydomain.tld на https://127.0.0.1

У меня такой стек:

(перенаправить http на https =>) https nginx -> varnish -> nginx http -> php5-fpm

Когда я открываю my.url.com, меня мгновенно перенаправляют на https://127.0.0.1

Без лака nginx, ssl, php5-fpm (php 5.5) отлично работает ...

Я думаю, что это связано с моей конфигурацией лака, потому что почти один и тот же стек работает с другой CMS (TYPO3 Neos) и с другой конфигурацией лака очень хорошо ... (настройки для nginx почти такие же, только некоторые небольшие изменения, такие как статическая перезапись )

Я благодарен за ваши идеи и отзывы по этому поводу!

моя конфигурация nginx:

# redirect non-www - http  and other domains to www - https
server {
        listen  80; ## listen for ipv4; this line is default and implied
        server_name domain.com some.other.tld;
        return 301 https://www.domain.com$request_uri;
}

# redirect non-www to www - https
server {
        listen 443 ssl; ## listen for ipv4; this line is default and implied
        server_name domain.com;

        # Add default ssl config
        include /etc/nginx/server-config/nginx-ssl.conf;

        # Define the certificates for this vhost
        ssl_certificate /etc/ssl/private/my-webserver.cert;
        ssl_certificate_key /etc/ssl/private/my-webserver.key;
        ssl_trusted_certificate /etc/ssl/private/ocsp-trusted-certificate.pem;

    return 301 https://www.domain.com$request_uri;
}

#
# HTTPS server - live - proxy for varnish
#
server {
        listen 443 ssl spdy;
        server_name www.domain.com;

        access_log /var/log/nginx/www.access;
        error_log /var/log/nginx/www.error error;

        keepalive_timeout 70;

        client_max_body_size 2G;

        # Add default ssl config        
        include /etc/nginx/server-config/nginx-ssl.conf;

        # Define the certificates for this vhost
        ssl_certificate /etc/ssl/private/my-webserver.cert;
        ssl_certificate_key /etc/ssl/private/my-webserver.key;
        ssl_trusted_certificate /etc/ssl/private/ocsp-trusted-certificate.pem;

        # Proxy Pass to Varnish
        # Add headers to recognize SSL
        location / {
            proxy_pass  http://127.0.0.1:6081;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header X-Secure on;
        }
}


#
# HTTP server - live for varnish
#
server {
        listen 8000;
        server_name www.domain.com;

        access_log /var/log/nginx/www.access;
        error_log /var/log/nginx/www.error error;

        root /var/www/production/current/src;
        index index.html index.php;

        client_max_body_size 2G;

        set_real_ip_from   127.0.0.1;
        real_ip_header     X-Forwarded-For;
        real_ip_recursive on;

        # Add trailing slash to */wp-admin requests.
        rewrite /wp-admin$ $scheme://$host$uri/ permanent;

        include /etc/nginx/server-config/nginx-static-resources.conf;

        include /etc/nginx/server-config/nginx-global-restriction-additional.conf;

        try_files $uri $uri/ /index.php?$args;

        location ~ \.php$ {
           fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            if (!-f $document_root$fastcgi_script_name) {
                return 404;
            }
            # This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

            include fastcgi_params;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;

            # Neccessary only with defined error page
            #fastcgi_intercept_errors on;

            fastcgi_read_timeout 600s;

            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
        }
}

И мой конфиг лака:

vcl 4.0;
backend default {
        .host = "localhost";
        .port = "8000";
        .connect_timeout = 600s;
        .first_byte_timeout = 600s;
        .between_bytes_timeout = 600s;
        .max_connections = 800;
}

# Only allow purging from specific IPs
acl purge {
    "localhost";
    "127.0.0.1";    
}

# This function is used when a request is send by a HTTP client (Browser) 
sub vcl_recv {
    # Allow purging from ACL
    if (req.method == "PURGE") {
        # If not allowed then a error 405 is returned
        if (!client.ip ~ purge) {
            return(synth(405, "This IP is not allowed to send PURGE requests."));
        }   
        # If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
        return (purge);
    }

    # Post requests will not be cached
    if (req.http.Authorization || req.method == "POST") {
        return (pass);
    }

    # --- Wordpress specific configuration

    # Did not cache the RSS feed
    if (req.url ~ "/feed") {
        return (pass);
    }

    # Blitz hack
        if (req.url ~ "/mu-.*") {
                return (pass);
        }


    # Did not cache the admin and login pages
    if (req.url ~ "/wp-(login|admin)") {
        return (pass);
    }

    # Remove the "has_js" cookie
    set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");

    # Remove any Google Analytics based cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");

    # Remove the Quant Capital cookies (added by some plugin, all __qca)
    set req.http.Cookie = regsuball(req.http.Cookie, "__qc.=[^;]+(; )?", "");

    # Remove the wp-settings-1 cookie
    set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-1=[^;]+(; )?", "");

    # Remove the wp-settings-time-1 cookie
    set req.http.Cookie = regsuball(req.http.Cookie, "wp-settings-time-1=[^;]+(; )?", "");

    # Remove the wp test cookie
    set req.http.Cookie = regsuball(req.http.Cookie, "wordpress_test_cookie=[^;]+(; )?", "");

    # Are there cookies left with only spaces or that are empty?
    if (req.http.cookie ~ "^ *$") {
            unset req.http.cookie;
    }

    # Cache the following files extensions 
    if (req.url ~ "\.(css|js|png|gif|jp(e)?g|swf|ico)") {
        unset req.http.cookie;
    }

    # Normalize Accept-Encoding header and compression
    # https://www.varnish-cache.org/docs/3.0/tutorial/vary.html
    if (req.http.Accept-Encoding) {
        # Do no compress compressed files...
        if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
                unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
                set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate") {
                set req.http.Accept-Encoding = "deflate";
        } else {
            unset req.http.Accept-Encoding;
        }
    }

    # Check the cookies for wordpress-specific items
    if (req.http.Cookie ~ "wordpress_" || req.http.Cookie ~ "comment_") {
        return (pass);
    }
    if (!req.http.cookie) {
        unset req.http.cookie;
    }

    # --- End of Wordpress specific configuration

    # Did not cache HTTP authentication and HTTP Cookie
    if (req.http.Authorization || req.http.Cookie) {
        # Not cacheable by default
        return (pass);
    }

    # Cache all others requests
    return (hash);
}

sub vcl_pipe {
    return (pipe);
}

sub vcl_pass {
    return (fetch);
}

# The data on which the hashing will take place
sub vcl_hash {

    hash_data(req.url);

    if (req.http.host) {
            hash_data(req.http.host);
    } else {
            hash_data(server.ip);
    }

    # If the client supports compression, keep that in a different cache
        if (req.http.Accept-Encoding) {
            hash_data(req.http.Accept-Encoding);
    }

    return (lookup);
}

# This function is used when a request is sent by our backend (Nginx server)
sub vcl_backend_response {
    # Remove some headers we never want to see
#   unset beresp.http.Server;
#   unset beresp.http.X-Powered-By;

    # ignore max-age=0
    if (beresp.ttl < 120s) {
            set beresp.ttl = 120s;
            unset beresp.http.Cache-Control;
    }


    # For static content strip all backend cookies
    if (bereq.url ~ "\.(css|js|png|gif|jp(e?)g)|swf|ico") {
        unset beresp.http.cookie;
    }

    # Only allow cookies to be set if we're in admin area
    if (beresp.http.Set-Cookie && bereq.url !~ "^/wp-(login|admin)") {
            unset beresp.http.Set-Cookie;
        }

    # don't cache response to posted requests or those with basic auth
    if ( bereq.method == "POST" || bereq.http.Authorization ) {
            set beresp.uncacheable = true;
        set beresp.ttl = 120s;
        return (deliver);
        }

        # don't cache search results
    if ( bereq.url ~ "\?s=" ){
        set beresp.uncacheable = true;
                set beresp.ttl = 120s;
                return (deliver);
    }

    # only cache status ok
    if ( beresp.status != 200 ) {
        set beresp.uncacheable = true;
                set beresp.ttl = 120s;
                return (deliver);
    }

    # A TTL of 24h
    set beresp.ttl = 24h;

    # Define the default grace period to serve cached content
    set beresp.grace = 60s;

    return (deliver);
}

# The routine when we deliver the HTTP request to the user
# Last chance to modify headers that are sent to the client
sub vcl_deliver {
    if (obj.hits > 0) { 
        set resp.http.X-Cache = "cached";
    } else {
        set resp.http.x-Cache = "uncached";
    }

    # Remove some headers: PHP version
    #unset resp.http.X-Powered-By;

    # Remove some headers: Apache version & OS
    #unset resp.http.Server;

    # Remove some heanders: Varnish
    #unset resp.http.Via;
    #unset resp.http.X-Varnish;

    return (deliver);
}

sub vcl_init {
    return (ok);
}

sub vcl_fini {
    return (ok);
}

(Я хотел увидеть заголовки для тестирования)