今天我的两个域名(共9个域名)的索引页面被重定向到亚马逊页面。所有其他页面都运行正常。网站是自定义编码的。
首先想到的是网站被黑了,但我没有找到过去24小时内修改过的单个文件。我经历了其他可能的选择而没有。
最后一个未知的是几周前安装的清漆。 在重新启动清除/清除缓存重定向后结果停止...
所以问题是可以从外部修改varnish cache吗?
我不是清漆专家,因为它在我的服务器上停留的时间非常短,我也知道我的配置文件可能很乱,但任何建议都值得赞赏。
谢谢你, 德里克
更新: 谢谢你的回答。
刷新缓存并删除重定向后,第二天其他域也会以相同方式受到影响。 清除单个URL'/'将删除重定向,直到下次。 我设置了一个脚本检查页面状态,以获取它发生的确切时间。有时间,但在日志中找不到多少。 syslog中没有varnish命令。
现在它发生在两个物理vps服务器上,具有完全相同的源代码。
以下是varnishncsa的几行,其中HEAD请求是我的脚本,第一个标题返回状态200,最后一个重定向 - 302重新定向到亚马逊。
1.2.3.4 - - [11/Jun/2016:22:40:23 -0400] "HEAD http://www.domain.com/ HTTP/1.1" 200 0 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.
7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
107.170.81.129 - - [11/Jun/2016:22:40:29 -0400] "GET http://www.domain.ca/search/?catid=1&sub_catid=22&sub_sub_catid=34 HTTP/1.1" 200 5908 "http:
//www.domain.com/categories/sitemap/" "Mozilla/5.0 (compatible; spbot/5.0.2; +http://OpenLinkProfiler.org/bot )"
100.43.81.151 - - [11/Jun/2016:22:40:39 -0400] "GET http://www.domain.com/ HTTP/1.1" 302 205 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex
.com/bots)"
100.43.91.12 - - [11/Jun/2016:22:40:39 -0400] "GET http://www.domain.com/robots.txt HTTP/1.1" 302 205 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +
http://yandex.com/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:39 -0400] "GET http://domain.com/robots.txt HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http:
//yandex.com/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:39 -0400] "GET http://domain.com/robots.txt HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://ya
ndex.com/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:41 -0400] "GET http://www.domain.com/ HTTP/1.1" 200 4046 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://y
andex.com/bots)"
100.43.91.12 - - [11/Jun/2016:22:40:41 -0400] "GET http://domain.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.co
m/bots)"
100.43.81.151 - - [11/Jun/2016:22:40:41 -0400] "GET http://domain.com/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/b
ots)"
68.180.228.126 - - [11/Jun/2016:22:40:48 -0400] "GET http://www.domain.ca/profile/Faro HTTP/1.1" 200 7060 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/help/us/ysearch/slurp)"
104.193.88.243 - - [11/Jun/2016:22:40:55 -0400] "GET http://www.domain.uk/search/?catid=377&sub_catid=448&sub_sub_catid=461 HTTP/1.1" 200 33613 "-
" "Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
117.78.13.18 - - [11/Jun/2016:22:41:13 -0400] "GET http://www.domain.com/robots.txt HTTP/1.0" 200 405 "-" "nutch-1.4/Nutch-1.4"
1.2.3.4 - - [11/Jun/2016:22:41:23 -0400] "HEAD http://www.domain.com/ HTTP/1.1" 302 0 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.
7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
以下是重定向时的标题:
Request URL: http://www.example.com/
Request method: GET
Remote address: 1.2.3.4:80
Status code: 302 Found
Version: HTTP/1.1
Request headers:
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response headers:
Age: 37681
Cache-Control: public
Connection: keep-alive
Content-Length: 205
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 12 Jun 2016 02:40:41 GMT
Location: http://www.amazon.com
Server: Apache
Via: 1.1 varnish-v4
X-Varnish: 1249239 1443890
Request URL: http://www.amazon.com/
Request method: GET
Remote address: 54.239.25.200:80
Status code: 301 MovedPermanently
Version: HTTP/1.1
Request headers:
Host: www.amazon.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response headers:
Content-Encoding: gzip
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 12 Jun 2016 13:08:43 GMT
Location: https://www.amazon.com/179-0743706-1316952
P3P: policyref="https://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA
所有域名在线已存在大约2年没有任何问题,并且2周前安装了清漆。
现在我被迫传递'index',如果找不到解决方案,会尝试降级清漆,看看是否有帮助。
此外我不知道从哪里开始,在哪里以及在哪里寻找???
以下是我的default.vcl文件
vcl 4.0;
# Default backend definition. Set this to point to your content server.
backend default {
.host = "2.3.4.5";
.port = "8080";
.first_byte_timeout = 300s;
.connect_timeout = 5s;
.between_bytes_timeout = 60s;
}
acl allowed_ip {
# Access Control List used to to warm up cahe
"1.2.3.0/22";
"2.3.4.5";
}
sub vcl_recv {
# Do not cache
if ( req.url ~ "^/sitemap-(index|ads|profiles|static)\.xml")
{ return( pass ); }
# Do not allow external access
if (req.url ~ "^/(crone_job|sitemap_generator)\.php" && !client.ip ~ allowed_ip)
{
set req.url = "/";
}
# Detect device and redirect to proper site
if ( (req.http.host ~ "www\.domain\.(ca|com|uk)" ||
req.http.host ~ "^domain\.(ca|com|uk)" ) &&
!(req.url ~ "\.(jpg|jpeg|png|gif|bmp|mp4|ogv|webm|m4a|ogg|doc|docx|xls|xlsx|pps|ppt|pptx|txt|rtf|csv|xml|pdf|zip|odf|ods)$" )) {
call device_detection;
}
# Redirect non-www domain to www
if (req.http.host ~ "^domain\.(ca|com|uk)$") {
return (synth (750, ""));
}
# Only deal with "normal" types
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != "PATCH" &&
req.method != "DELETE") {
# /* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}
# Only cache GET or HEAD requests. This makes sure the POST requests are always passed.
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
# First remove the Google Analytics added parameters, useless for our backend
if (req.url ~ "(\?|&)(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=") {
set req.url = regsuball(req.url, "&(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "");
set req.url = regsuball(req.url, "\?(utm_source|utm_medium|utm_campaign|utm_content|gclid|cx|ie|cof|siteurl)=([A-z0-9_\-\.%25]+)", "?");
set req.url = regsub(req.url, "\?&", "?");
set req.url = regsub(req.url, "\?$", "");
}
# Remove the "has_js" cookie
set req.http.Cookie = regsuball(req.http.Cookie, "has_js=[^;]+(; )?", "");
# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_ga=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "_gat=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=[^;]+(; )?", "");
set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=[^;]+(; )?", "");
if (req.http.Cookie ~ "user_name=" || req.http.Cookie == "registeredDevice") {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID|user_name|registeredDevice)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.Cookie == "") {
unset req.http.Cookie;
}
}
# Post requests will not be cachedre there cookies left with only spaces o
# r that are empty?
if (req.http.cookie ~ "^\s*$") {
unset req.http.cookie;
}
# Remove all cookies for static files
if (req.url ~ "^[^?]*\.(css|jpeg|jpg|js|txt|ico)(\?.*)?$"){
unset req.http.Cookie;
return (hash);
}
if (req.url ~ "^/image.php." ||
req.url ~ "publication.php" ||
req.url ~ "google_map.php" ) {
unset req.http.Cookie;
}
# Send Surrogate-Capability headers to announce ESI support to backend
set req.http.Surrogate-Capability = "key=ESI/1.0";
# if (req.http.Authorization || req.method == "POST") {
if ( req.method == "POST") {
return (pass);
}
# Normalizing namespace
if (req.http.host ~ "(?i)^(www.)?domain.ca") {
set req.http.host = "www.domain.ca"; }
if (req.http.host ~ "(?i)^(www.)?domain.com") {
set req.http.host = "www.domain.com"; }
if (req.http.host ~ "(?i)^(www.)?domain.uk") {
set req.http.host = "www.domain.uk"; }
# the script varnish-cache-warmup.sh must always refresh the cache
if (client.ip ~ allowed_ip && req.http.Cache-Control ~ "no-cache") {
set req.hash_always_miss = true;
}
}
sub vcl_backend_response {
if(
bereq.url == "/" ||
bereq.url == "/about-us/" ||
bereq.url == "/contact/" ||
bereq.url == "/blog/" ||
bereq.url == "/categories/sitemap/" ||
bereq.url == "/help/"
){
# cache, ignoring any cache headers
set beresp.ttl = 24h;
unset beresp.http.Pragma;
unset beresp.http.Set-Cookie;
set beresp.http.Cache-Control = "public"; # max-age=0; s-maxage=1800";
unset beresp.http.Expires;
set bereq.http.Cookie = regsuball(bereq.http.Cookie, "PHPSESSID=[^;]+(; )?", "");
unset bereq.http.Cookie;
}
if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
unset beresp.http.Surrogate-Control;
set beresp.do_esi = true;
}
# Enable cache for all static files
if (bereq.url ~ "^[^?]*\.(css|jpeg|jpg|js|txt|ico)(\?.*)?$") {
unset beresp.http.set-cookie;
}
if (bereq.url ~ "^/image.php.") {
unset beresp.http.set-cookie;
}
# Varnish 4 fully supports Streaming, so use streaming here to avoid locking.
if (bereq.url ~ "^[^?]*\.(7z|avi|bz2|flac|flv|gz|mka|mkv|mov|mp3|mp4|mpeg|mpg|ogg|ogm|opus|rar|tar|tgz|tbz|txz|wav|webm|xz|zip)(\?.*)?$") {
unset beresp.http.set-cookie;
set beresp.do_stream = true; # Check memory usage it'll grow in fetch_chunksize blocks (128k by default) if the backend doesn't send a Content-Length header, so only enable it for big objects
set beresp.do_gzip = false; # Don't try to compress it for storage
}
# Set 2min cache if unset for static files
if (beresp.ttl <= 0s || beresp.http.Set-Cookie || beresp.http.Vary == "*") {
set beresp.ttl = 120s; # Important, you shouldn't rely on this, SET YOUR HEADERS in the backend
set beresp.uncacheable = true;
return (deliver);
}
# Don't cache 50x responses
if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504 || beresp.status == 403) {
return (abandon);
}
# Allow stale content, in case the backend goes down.
# make Varnish keep all objects for 6 hours beyond their TTL
set beresp.grace = 6h;
return (deliver);
}
sub vcl_deliver {
}
sub vcl_synth {
# Redirect non-www domain to www
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "http://www." + req.http.host + req.url;
return(deliver);
}
# Redirect to mobile site
if (resp.status == 751) {
set resp.status =301;
set req.http.host = regsub(req.http.host, "^www\.","");
set resp.http.Location = "http://m." + req.http.host + req.url;
return(deliver);
}
}
sub device_detection {
set req.http.X-Device = "pc";
if (req.http.User-Agent ~ "iP(hone|od)" ||
req.http.User-Agent ~ "Android" ||
req.http.User-Agent ~ "Symbian" ||
req.http.User-Agent ~ "^BlackBerry" ||
req.http.User-Agent ~ "^SonyEricsson" ||
req.http.User-Agent ~ "^Nokia" ||
req.http.User-Agent ~ "^SAMSUNG" ||
req.http.User-Agent ~ "^LG" ||
req.http.User-Agent ~ "webOS")
{ set req.http.X-Device = "mobile"; }
if (req.http.User-Agent ~ "^PalmSource")
{ set req.http.X-Device = "mobile"; }
if (req.http.User-Agent ~ "Build/FROYO" ||
req.http.User-Agent ~ "XOOM" ) {
set req.http.X-Device = "pc";
}
if (req.http.X-Device == "mobile") {
return (synth(751, ""));
}
}
答案 0 :(得分:1)
Varnish就像其他软件一样,所以很难保证。
如果您根据之前的事件判断,Varnish有一个非常好的安全历史,并且似乎基本上是安全的。
就你的VCL而言,那里没有任何内容允许你描述的行为。事实上,在Varnish级别上引入类似的东西是非常困难的,因为Varnish通常不支持重写/更改响应主体。