需要阻止 nginx 上的 Magento 运行 从前端从 http 重定向到 https。
Need to stop Magento running on nginx from redirecting from http to https on front end.
下面是我当前的 nginx 配置。我是 运行 php 5.5,带有 opcache 和 magento 1.9.2.2
它有 2 个问题:
1.该网站不断将所有内容重定向到 https。
2。当我更新 javascript 或 css 文件时,我不断收到 net::ERR_SPDY_PROTOCOL_ERROR。 我可以通过重新启动 nginx 来解决这个问题,但这只是一种解决方法。 .
Magento 设置为:
在前端使用安全 URL "No"
在管理员中使用安全 URL "Yes"
http://WEBSITENAME.com 用于不安全的基础 url
https://WEBSITENAME.com 用于安全基础 url。
我希望网站前端(购物车除外)为 http,后端为 https。我需要做哪些改变?我从几个来源拼凑了 nginx conf。
如有任何建议或帮助,我们将不胜感激。我还在这些文件的要点中包含了 link。 https://gist.github.com/btray77/8867aa2fddc1803bfee0
谢谢
配置文件/etc/nginx/conf.d/export.conf:
location ~ /var/export {
satisfy all;
allow 1.2.3.4;
deny all;
auth_basic "Restricted";
auth_basic_user_file .htpasswd;
autoindex off;
}
配置文件/etc/nginx/conf.d/extra_protect.conf:
## Extra protection
location ~ /(dev/tests/|errors/local.xml|cron\.php) { deny all; }
location ~ ^/.*\.(sh|pl|swp|phar|sql|conf|zip|tar|.+gz)$ { return 444; }
location ~ /\.(svn|git|hg|htpasswd|bash|ssh) { return 444; }
location ~* /(lib|media|shell|skin)/.*\.php$ { deny all; }
location ~ /(wishlist|customer|contact|review|catalogsearch|newsletter|(fire|one.+)?checkout)/ {
limit_req zone=goeasy burst=5;
limit_req_status 429;
if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|YandexBot") { return 410; }
try_files $uri $uri/ @rewrite;
}
## Wordpress files and locations protection
location ~ /wp-config\.php { deny all; }
location ~ /wp-includes/(.*)\.php { deny all; }
location ~ /wp-admin/includes(.*)$ { deny all; }
location ~ /xmlrpc\.php { deny all; }
location ~ /wp-content/uploads/(.*)\.php(.?) { deny all; }
配置文件/etc/nginx/conf.d/headers.conf:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-UA-Compatible 'IE=Edge,chrome=1';
add_header X-Processing-Time $request_time;
配置文件/etc/nginx/conf.d/pagespeed.conf:
pagespeed on;
pagespeed FileCachePath "/var/tmp/ngx_pagespeed_cache";
pagespeed LogDir "/var/log/pagespeed";
#to optimize images use: https://github.com/mikebrittain/Wesley
#pagespeed EnableFilters convert_gif_to_png;
#pagespeed EnableFilters insert_image_dimensions;
#pagespeed EnableFilters lazyload_images;
#pagespeed EnableFilters collapse_whitespace;
#pagespeed EnableFilters remove_comments;
#pagespeed EnableFilters flatten_css_imports;
#pagespeed EnableFilters insert_dns_prefetch;
#pagespeed EnableFilters extend_cache;
#pagespeed EnableFilters canonicalize_javascript_libraries;
pagespeed EnableFilters extend_cache;
pagespeed EnableFilters extend_cache_pdfs;
pagespeed EnableFilters combine_css;
pagespeed EnableFilters combine_javascript;
pagespeed EnableFilters move_css_above_scripts;
pagespeed EnableFilters insert_dns_prefetch;
pagespeed EnableFilters rewrite_images;
pagespeed EnableFilters prioritize_critical_css;
pagespeed EnableFilters rewrite_css;
pagespeed EnableFilters rewrite_style_attributes;
pagespeed EnableFilters convert_meta_tags;
pagespeed EnableFilters lazyload_images;
pagespeed EnableFilters collapse_whitespace;
#pagespeed EnableFilters move_css_to_head;
pagespeed EnableFilters remove_quotes;
pagespeed EnableFilters inline_css;
pagespeed EnableFilters inline_javascript;
pagespeed EnableFilters convert_gif_to_png;
pagespeed EnableFilters insert_image_dimensions;
pagespeed EnableFilters lazyload_images;
pagespeed EnableFilters collapse_whitespace;
pagespeed EnableFilters remove_comments;
pagespeed EnableFilters flatten_css_imports;
#pagespeed EnableFilters defer_javascript;
pagespeed EnableFilters rewrite_javascript;
#pagespeed UseExperimentalJsMinifier on;
pagespeed StatisticsLogging on;
pagespeed RetainComment "esi*";
# magento admin
pagespeed Disallow "*index.php/admin/*";
pagespeed Disallow "*/admin/*";
pagespeed Disallow "*/phpMyAdmin/*";
# configuration file /etc/nginx/conf.d/spider.conf:
# BLACKBOT
if ($http_user_agent ~* "360Spider|aiHitBot|Exabot|AhrefsBot|betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG|CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo|Default|DIIbot|DISCo|discobot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE|FlashGet|Findxbot|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack|ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot|JetCar|larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|lwp-trivial|Maxthon$|Mail.RU_Bot|MegaIndex.ru|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Microsoft|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage|Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch|Octopus|PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|PHPCrawl|PleaseCrawl|psbot|python-requests|RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler|SBIder|Scrapy|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|sitecheck.internetseer.com|SiteSnagger|SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap|tAkeOut|Teleport|Toata|TwengaBot|Typhoeus|URI::Fetch|User-Agent|voltron|Vagabondo|VoidEYE|webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE|zermelo|Zeus|Zeus.*Webster|ZyBorg")
{ return 444; }
配置文件/etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
#fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# magento
fastcgi_connect_timeout 65;
fastcgi_send_timeout 7200;
fastcgi_read_timeout 7200;
配置文件/etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /var/run/nginx.pid;
events {
worker_connections 2000;
multi_accept on;
use epoll;
}
http {
index index.html index.php;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';
log_format error403 '$remote_addr - [$time_local] "$request"';
keepalive_timeout 5;
autoindex off;
server_tokens off;
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 64m;
## Flood protection example
limit_req_zone $binary_remote_addr zone=goeasy:25m rate=1r/s;
## Cache open FD
open_file_cache max=10000 inactive=3600s;
open_file_cache_valid 7200s;
open_file_cache_min_uses 2;
## Gzipping is an easy way to reduce page weight
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types application/javascript application/x-javascript text/javascript text/css;
gzip_buffers 16 8k;
gzip_comp_level 6;
## SSL global settings
#ssl_session_cache shared:SSL:25m;
#ssl_session_timeout 15m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
#ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/ssl/certs/dhparams.pem;
#ssl_stapling on;
#resolver 8.8.8.8 8.8.4.4 valid=3600s;
#resolver_timeout 5s;
## Use when Varnish in front
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
## Multi shop code configuration
#include /etc/nginx/conf.d/multishop.conf;
## Map status to exclude from access log
map $status $writelog { 404 0; 410 0; 444 0; default 1; }
## Main domain configuration
include /etc/nginx/sites-enabled/*.conf;
}
配置文件/etc/nginx/sites-enabled/default.conf:
server {
listen 80;
return 444;
}
#server {
# listen 443 ssl default;
# ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
# ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
# return 444;
#}
配置文件/etc/nginx/sites-enabled/magento.conf:
## Add www
server {
listen 80;
server_name WEBSITENAME.com;
return 301 $scheme://www.WEBSITENAME.com$request_uri;
}
server {
listen 80;
listen 443 http2 ssl;
#ssl on;
#Had issues with nginx sending only partial files
sendfile off;
server_name www.overnightsupplements.com;
root /var/www/html/overnight;
access_log /var/log/nginx/access_www.WEBSITENAME.com.log main if=$writelog;
error_log /var/log/nginx/error_www.WEBSITENAME.com.log error;
## Pagespeed module
include /etc/nginx/conf.d/pagespeed.conf;
## Bots trap
include /etc/nginx/conf.d/spider.conf;
## SSL CONFIGURATION
ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location = /js/index.php/x.js {
rewrite ^(.*\.php)/ last;
}
## Main Magento @location
location / {
try_files $uri $uri/ @rewrite;
}
## Server maintenance block.
#include /etc/nginx/conf.d/maintenance.conf;
## Error log/page
#include /etc/nginx/conf.d/error_page.conf;
## Export folder
include /etc/nginx/conf.d/export.conf;
## These locations are protected
location ~ /(app|var|includes|pkginfo)/ {
deny all;
}
## Extra protection and limits
include /etc/nginx/conf.d/extra_protect.conf;
## Images
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
add_header Accept-Ranges bytes;
}
location @rewrite {
rewrite / /index.php?$args;
}
## Execute PHP scripts
location ~ \.php$ {
include /etc/nginx/conf.d/headers.conf;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass 127.0.0.1:$port_switch;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## Store code with multi domain
#fastcgi_param MAGE_RUN_CODE $mage_code;
#fastcgi_param MAGE_RUN_TYPE $mage_type;
include fastcgi_params;
}
}
当您说 "frontend" 时,听起来您指的是网站的 public 部分,而对于 "backend" 部分,您指的是仅供管理员使用的网站区域。
考虑到这种设计与 "https-everywhere" 相比,"https-everywhere" 更简单。原因如下:
- 如果您的站点上有 "http" 和 "https" 之间的边界,则必须管理该边界。跨边界的所有链路都需要确保更改协议。
- 当将不安全的资产加载到站点的安全部分时,"Mixed Active Content" 更有可能出现问题。
- 如果浏览器仍在发回仅用于访问网站安全部分的 cookie,则您的管理员在浏览网站的明文部分时仍可能容易受到 cookie sidejacking 攻击。
SSL 证书很便宜,您已经设置并管理了其中一种方式。
因此,针对重定向到 HTTPS 问题的第一个建议是继续 HTTPS-everywhere。这是 web HTTPS/2.0 的发展方向,所以 forward-compatible 规划很好。
其次,确保服务器过去没有使用 HSTS。如果它设置了 "Strict-Transport-Security" header,那么浏览器可能已经缓存了它,并且会立即切换到 HTTPS 而无需检查服务器。如果是这样的话,这将 disable HSTS:
add_header Strict-Transport-Security "max-age=0;";
下面是我当前的 nginx 配置。我是 运行 php 5.5,带有 opcache 和 magento 1.9.2.2
它有 2 个问题:
1.该网站不断将所有内容重定向到 https。
2。当我更新 javascript 或 css 文件时,我不断收到 net::ERR_SPDY_PROTOCOL_ERROR。 我可以通过重新启动 nginx 来解决这个问题,但这只是一种解决方法。 .
Magento 设置为:
在前端使用安全 URL "No"
在管理员中使用安全 URL "Yes"
http://WEBSITENAME.com 用于不安全的基础 url
https://WEBSITENAME.com 用于安全基础 url。
我希望网站前端(购物车除外)为 http,后端为 https。我需要做哪些改变?我从几个来源拼凑了 nginx conf。
如有任何建议或帮助,我们将不胜感激。我还在这些文件的要点中包含了 link。 https://gist.github.com/btray77/8867aa2fddc1803bfee0
谢谢
配置文件/etc/nginx/conf.d/export.conf:
location ~ /var/export {
satisfy all;
allow 1.2.3.4;
deny all;
auth_basic "Restricted";
auth_basic_user_file .htpasswd;
autoindex off;
}
配置文件/etc/nginx/conf.d/extra_protect.conf:
## Extra protection
location ~ /(dev/tests/|errors/local.xml|cron\.php) { deny all; }
location ~ ^/.*\.(sh|pl|swp|phar|sql|conf|zip|tar|.+gz)$ { return 444; }
location ~ /\.(svn|git|hg|htpasswd|bash|ssh) { return 444; }
location ~* /(lib|media|shell|skin)/.*\.php$ { deny all; }
location ~ /(wishlist|customer|contact|review|catalogsearch|newsletter|(fire|one.+)?checkout)/ {
limit_req zone=goeasy burst=5;
limit_req_status 429;
if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|YandexBot") { return 410; }
try_files $uri $uri/ @rewrite;
}
## Wordpress files and locations protection
location ~ /wp-config\.php { deny all; }
location ~ /wp-includes/(.*)\.php { deny all; }
location ~ /wp-admin/includes(.*)$ { deny all; }
location ~ /xmlrpc\.php { deny all; }
location ~ /wp-content/uploads/(.*)\.php(.?) { deny all; }
配置文件/etc/nginx/conf.d/headers.conf:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-UA-Compatible 'IE=Edge,chrome=1';
add_header X-Processing-Time $request_time;
配置文件/etc/nginx/conf.d/pagespeed.conf:
pagespeed on;
pagespeed FileCachePath "/var/tmp/ngx_pagespeed_cache";
pagespeed LogDir "/var/log/pagespeed";
#to optimize images use: https://github.com/mikebrittain/Wesley
#pagespeed EnableFilters convert_gif_to_png;
#pagespeed EnableFilters insert_image_dimensions;
#pagespeed EnableFilters lazyload_images;
#pagespeed EnableFilters collapse_whitespace;
#pagespeed EnableFilters remove_comments;
#pagespeed EnableFilters flatten_css_imports;
#pagespeed EnableFilters insert_dns_prefetch;
#pagespeed EnableFilters extend_cache;
#pagespeed EnableFilters canonicalize_javascript_libraries;
pagespeed EnableFilters extend_cache;
pagespeed EnableFilters extend_cache_pdfs;
pagespeed EnableFilters combine_css;
pagespeed EnableFilters combine_javascript;
pagespeed EnableFilters move_css_above_scripts;
pagespeed EnableFilters insert_dns_prefetch;
pagespeed EnableFilters rewrite_images;
pagespeed EnableFilters prioritize_critical_css;
pagespeed EnableFilters rewrite_css;
pagespeed EnableFilters rewrite_style_attributes;
pagespeed EnableFilters convert_meta_tags;
pagespeed EnableFilters lazyload_images;
pagespeed EnableFilters collapse_whitespace;
#pagespeed EnableFilters move_css_to_head;
pagespeed EnableFilters remove_quotes;
pagespeed EnableFilters inline_css;
pagespeed EnableFilters inline_javascript;
pagespeed EnableFilters convert_gif_to_png;
pagespeed EnableFilters insert_image_dimensions;
pagespeed EnableFilters lazyload_images;
pagespeed EnableFilters collapse_whitespace;
pagespeed EnableFilters remove_comments;
pagespeed EnableFilters flatten_css_imports;
#pagespeed EnableFilters defer_javascript;
pagespeed EnableFilters rewrite_javascript;
#pagespeed UseExperimentalJsMinifier on;
pagespeed StatisticsLogging on;
pagespeed RetainComment "esi*";
# magento admin
pagespeed Disallow "*index.php/admin/*";
pagespeed Disallow "*/admin/*";
pagespeed Disallow "*/phpMyAdmin/*";
# configuration file /etc/nginx/conf.d/spider.conf:
# BLACKBOT
if ($http_user_agent ~* "360Spider|aiHitBot|Exabot|AhrefsBot|betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG|CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo|Default|DIIbot|DISCo|discobot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE|FlashGet|Findxbot|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack|ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot|JetCar|larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|lwp-trivial|Maxthon$|Mail.RU_Bot|MegaIndex.ru|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Microsoft|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage|Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch|Octopus|PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|PHPCrawl|PleaseCrawl|psbot|python-requests|RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler|SBIder|Scrapy|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|sitecheck.internetseer.com|SiteSnagger|SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap|tAkeOut|Teleport|Toata|TwengaBot|Typhoeus|URI::Fetch|User-Agent|voltron|Vagabondo|VoidEYE|webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE|zermelo|Zeus|Zeus.*Webster|ZyBorg")
{ return 444; }
配置文件/etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
#fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# magento
fastcgi_connect_timeout 65;
fastcgi_send_timeout 7200;
fastcgi_read_timeout 7200;
配置文件/etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /var/run/nginx.pid;
events {
worker_connections 2000;
multi_accept on;
use epoll;
}
http {
index index.html index.php;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';
log_format error403 '$remote_addr - [$time_local] "$request"';
keepalive_timeout 5;
autoindex off;
server_tokens off;
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 64m;
## Flood protection example
limit_req_zone $binary_remote_addr zone=goeasy:25m rate=1r/s;
## Cache open FD
open_file_cache max=10000 inactive=3600s;
open_file_cache_valid 7200s;
open_file_cache_min_uses 2;
## Gzipping is an easy way to reduce page weight
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types application/javascript application/x-javascript text/javascript text/css;
gzip_buffers 16 8k;
gzip_comp_level 6;
## SSL global settings
#ssl_session_cache shared:SSL:25m;
#ssl_session_timeout 15m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
#ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/ssl/certs/dhparams.pem;
#ssl_stapling on;
#resolver 8.8.8.8 8.8.4.4 valid=3600s;
#resolver_timeout 5s;
## Use when Varnish in front
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
## Multi shop code configuration
#include /etc/nginx/conf.d/multishop.conf;
## Map status to exclude from access log
map $status $writelog { 404 0; 410 0; 444 0; default 1; }
## Main domain configuration
include /etc/nginx/sites-enabled/*.conf;
}
配置文件/etc/nginx/sites-enabled/default.conf:
server {
listen 80;
return 444;
}
#server {
# listen 443 ssl default;
# ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
# ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
# return 444;
#}
配置文件/etc/nginx/sites-enabled/magento.conf:
## Add www
server {
listen 80;
server_name WEBSITENAME.com;
return 301 $scheme://www.WEBSITENAME.com$request_uri;
}
server {
listen 80;
listen 443 http2 ssl;
#ssl on;
#Had issues with nginx sending only partial files
sendfile off;
server_name www.overnightsupplements.com;
root /var/www/html/overnight;
access_log /var/log/nginx/access_www.WEBSITENAME.com.log main if=$writelog;
error_log /var/log/nginx/error_www.WEBSITENAME.com.log error;
## Pagespeed module
include /etc/nginx/conf.d/pagespeed.conf;
## Bots trap
include /etc/nginx/conf.d/spider.conf;
## SSL CONFIGURATION
ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location = /js/index.php/x.js {
rewrite ^(.*\.php)/ last;
}
## Main Magento @location
location / {
try_files $uri $uri/ @rewrite;
}
## Server maintenance block.
#include /etc/nginx/conf.d/maintenance.conf;
## Error log/page
#include /etc/nginx/conf.d/error_page.conf;
## Export folder
include /etc/nginx/conf.d/export.conf;
## These locations are protected
location ~ /(app|var|includes|pkginfo)/ {
deny all;
}
## Extra protection and limits
include /etc/nginx/conf.d/extra_protect.conf;
## Images
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
add_header Accept-Ranges bytes;
}
location @rewrite {
rewrite / /index.php?$args;
}
## Execute PHP scripts
location ~ \.php$ {
include /etc/nginx/conf.d/headers.conf;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass 127.0.0.1:$port_switch;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## Store code with multi domain
#fastcgi_param MAGE_RUN_CODE $mage_code;
#fastcgi_param MAGE_RUN_TYPE $mage_type;
include fastcgi_params;
}
}
当您说 "frontend" 时,听起来您指的是网站的 public 部分,而对于 "backend" 部分,您指的是仅供管理员使用的网站区域。
考虑到这种设计与 "https-everywhere" 相比,"https-everywhere" 更简单。原因如下:
- 如果您的站点上有 "http" 和 "https" 之间的边界,则必须管理该边界。跨边界的所有链路都需要确保更改协议。
- 当将不安全的资产加载到站点的安全部分时,"Mixed Active Content" 更有可能出现问题。
- 如果浏览器仍在发回仅用于访问网站安全部分的 cookie,则您的管理员在浏览网站的明文部分时仍可能容易受到 cookie sidejacking 攻击。
SSL 证书很便宜,您已经设置并管理了其中一种方式。
因此,针对重定向到 HTTPS 问题的第一个建议是继续 HTTPS-everywhere。这是 web HTTPS/2.0 的发展方向,所以 forward-compatible 规划很好。
其次,确保服务器过去没有使用 HSTS。如果它设置了 "Strict-Transport-Security" header,那么浏览器可能已经缓存了它,并且会立即切换到 HTTPS 而无需检查服务器。如果是这样的话,这将 disable HSTS:
add_header Strict-Transport-Security "max-age=0;";