我正在使用Symphony 2.6和Nginx 1.4。这个问题已经被问了好几次,但所有提供的答案或解决方案对我来说都不起作用。
我希望新Linux计数器项目完全只是SSL,但不管我是否在nginx的vhost文件中设置重定向到端口443,或者我是否将security_ymnel https添加到security.yml或添加[https]对于routing.yml,访问页面时一切都会导致无限循环。
尽管如此,SSL工作没有问题。从vhost文件中删除所有重定向并从security.yml和routing.yml中删除https时,一切正常,您可以访问例如:https://www.linuxcounter.net/login,没有任何问题。
这是vhost文件没有强制使用SSL:
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* ^/user/([0-9]+)\.html$ {
root /srv/www.linuxcounter.net/web;
rewrite /user/([0-9]+)\.html /user/$1 last;
internal;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 443 default;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
这是vhost文件 WITH 强制使用SSL:
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
return 301 https://www.linuxcounter.net$request_uri;
}
server {
listen 443 ssl;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 512M;
# ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
只要将vhost文件替换为在端口80上重定向到SSL的文件,我就会在所有页面,链接或路由上只获得无限循环。
因此,当浏览到https://www.linuxcounter.net/login时,/ login会重新加载301重定向15或20次,直到出现无限循环的错误消息。
但是使用第一个vhost文件,整个页面正在使用https://没有问题。
这是我的routing.yml:
syw_front_main:
resource: "@SywFrontMainBundle/Controller/"
type: annotation
prefix: /
host: %base_host%
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
host: %base_host%
easy_admin_bundle:
resource: "@EasyAdminBundle/Controller/"
type: annotation
prefix: /admin
host: %base_host%
shtumi_useful:
resource: '@ShtumiUsefulBundle/Resources/config/routing.xml'
host: %base_host%
blade_tester_light_news_bundle:
resource: "@BladeTesterLightNewsBundle/Resources/config/routing.yml"
prefix: /news
host: %base_host%
syw_front_api:
resource: "@SywFrontApiBundle/Controller/"
type: annotation
prefix: /
host: %api_host%
这是我的security.yml:
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /admin, role: ROLE_ADMIN }
对我而言,一切似乎都很安静......
但我不能让它发挥作用。
所以,我想要的是:
如果有人访问http://*linuxcounter.net,那么他应该将301重定向到https://*linuxcounter.net
答案 0 :(得分:0)
好的......经过几个小时的尝试和测试后,我现在遇到了一个非常优化的解决方案,但它正在发挥作用。
我现在只是在Symfony的/app.php顶部进行重定向:
if ($_SERVER["HTTP_X_FORWARDED_PROTO"] == "http") {
$redir = "Location: https://www.linuxcounter.net" . $_SERVER["REQUEST_URI"];
header($redir);
exit();
}
这有效,并且不会产生任何无限循环。
答案 1 :(得分:0)
为什么不使用symfony,因为它意味着要使用?
我在许多项目中使用该设置。现在我不是100%,如果重定向没有任何其他设置,但我明天可以查找,如果没有。我认为这应该有用,试试吧。