Magento 2使用Varnish和Nginx作为SSL终止 - 无尽重定向

时间:2017-06-08 03:22:08

标签: ssl nginx magento2 centos7 varnish

那里有Nginx / Varnish / SSL专家吗?我成功配置了CentOS7服务器并运行Magento 2.17。然后我决定我想通过SSL运行所有内容并使Varnish仍然缓存页面。

由于Varnish无法处理SSL,因此我重新配置了Varnish和Nginx以进行SSL终止。 Nginx当前配置为侦听端口443并将请求传递到端口8081上的Varnish。然后Varnish将提供查询并将其返回到Nginx侦听端口8080.当我发出HTTPS请求时,nginx成功通过它到Varnish然后,据我从日志中可以看出,它在浏览器关闭之前重定向20次并显示消息,"页面没有正确重定向。"

它可能是一些小而愚蠢的东西,我无法发现,第二组眼睛真的很受欢迎。

我的test.com域的nginx test.conf文件:



## Proxy server to terminate ssl, loop to Varnish-HTTP -> nginx-HTTPS
server {
    listen 443 ssl http2;
    server_name test.com;

    sub_filter 'http://'  'https://';
    sub_filter_once off;

    ## SSL CONFIGURATION
    ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem;


    # proxy-pass to Varnish
    location / {
        proxy_pass  http://127.0.0.1:8081;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header Host $host;
        proxy_set_header X-Scheme https;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header X-Secure on;
    }
}

server {
    listen 8080;
    server_name test.com;

    access_log  /var/log/nginx/access.log  main if=$writelog;
    error_log   /var/log/nginx/error.log  error;

    if ($bad_client) { return 444; }

    set $MAGE_ROOT /home/test/public_html;  
    root $MAGE_ROOT/pub;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;       
        }
 
    ## Process php files (strict rule, define files to be executed)
    location ~ (index|get|static|report|btNenBhQtLNu_opcache_gui|404|503)\.php$ {
        try_files $uri =404;
        ## specific security and compatibility headers
        add_header X-Config-By 'Test' always;
        add_header X-Processing-Time $request_time always;
        add_header X-Request-ID $request_id always;
        add_header Strict-Transport-Security $hsts_header always;
        add_header X-UA-Compatible 'IE=Edge,chrome=1';
        add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"" always;

        ## php backend settings
        fastcgi_pass        127.0.0.1:9000;
        fastcgi_index       index.php;
        include         fastcgi_params;
        fastcgi_keep_conn       on;

        # microcache    
        fastcgi_no_cache $no_cache;
        fastcgi_cache_bypass $no_cache;
        fastcgi_cache microcache;
        fastcgi_cache_key $scheme|$host|search|$arg_q;
        fastcgi_cache_valid 200 301 302 2h;
        fastcgi_cache_use_stale updating error timeout invalid_header http_500;
        fastcgi_pass_header Set-Cookie;
        fastcgi_pass_header Cookie;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
        # microcache
    }

    ## Block other undefined php files, possible injections and random malware hooks.
    location ~* \.php$ { return 404; }      
}
&#13;
&#13;
&#13;

varnish.params文件:

&#13;
&#13;
# Varnish environment configuration description. This was derived from
# the old style sysconfig/defaults settings

# Set this to 1 to make systemd reload try to switch VCL without restart.
RELOAD_VCL=1

# Main configuration file. You probably want to change it.
VARNISH_VCL_CONF=/etc/varnish/default.vcl

# Default address and port to bind to. Blank address means all IPv4
# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
# quad, or an IPv6 address in brackets.
VARNISH_LISTEN_ADDRESS=127.0.0.1
VARNISH_LISTEN_PORT=8081

# Admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082

# Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret

# Backend storage specification, see Storage Types in the varnishd(5)
# man page for details.
VARNISH_STORAGE="malloc,1G"

# User and group for the varnishd worker processes
VARNISH_USER=varnish
VARNISH_GROUP=varnish

# Other options, see the man page varnishd(1)
DAEMON_OPTS="-p thread_pool_min=200 \
        -p thread_pool_max=4000 \
        -p thread_pool_add_delay=2 \
        -p cli_timeout=25 \
        -p cli_buffer=26384 \
        -p syslog_cli_traffic=off \
        -p feature=+esi_disable_xml_check,+esi_ignore_other_elements \
        -p vcc_allow_inline_c=on \
        -p timeout_linger=100"
&#13;
&#13;
&#13;

清漆default.vcl:

&#13;
&#13;
vcl 4.0;
import std;
# The minimal Varnish version is 4.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'SSL-OFFLOADED: https'
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}
acl purge {
     "localhost";
     "127.0.0.1";
}
sub vcl_recv {
    if (req.method == "PURGE") {
        if (client.ip !~ purge) {
            return (synth(405, "Method not allowed"));
        }
        if (!req.http.X-Magento-Tags-Pattern) {
            return (synth(400, "X-Magento-Tags-Pattern header required"));
        }
        ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
        return (synth(200, "Purged"));
    }
    if (req.method != "GET" &&
        req.method != "HEAD" &&
        req.method != "PUT" &&
        req.method != "POST" &&
        req.method != "TRACE" &&
        req.method != "OPTIONS" &&
        req.method != "DELETE") {
          /* Non-RFC2616 or CONNECT which is weird. */
          return (pipe);
    }
    # We only deal with GET and HEAD by default
    if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
    }
    # Bypass shopping cart, checkout and search requests
    if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
        return (pass);
    }
    # normalize url in case of leading HTTP scheme and domain
    set req.url = regsub(req.url, "^http[s]?://", "");         
    # collect all cookies
    std.collect(req.http.Cookie);
    # Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
    if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
            # No point in compressing these
            unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unkown algorithm
            unset req.http.Accept-Encoding;
        }          
    }
    # Remove Google gclid parameters to minimize the cache objects
    set req.url = regsuball(req.url,"\?gclid=[^&]+$",""); # strips when QS = "?gclid=AAA"
    set req.url = regsuball(req.url,"\?gclid=[^&]+&","?"); # strips when QS = "?gclid=AAA&foo=bar"
    set req.url = regsuball(req.url,"&gclid=[^&]+",""); # strips when QS = "?foo=bar&gclid=AAA" or QS = "?foo=bar&gclid=AAA&bar=baz"
    # static files are always cacheable. remove SSL flag and cookie
        if (req.url ~ "^/(pub/)?(media|static)/.*\.(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
        unset req.http.Https;    
        unset req.http.SSL-OFFLOADED;                 
        unset req.http.Cookie;
    }
    return (hash);
}        
sub vcl_hash {
    if (req.http.cookie ~ "X-Magento-Vary=") {
        hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
    }
    # For multi site configurations to not cache each other's content
    if (req.http.host) {      
        hash_data(req.http.host);
    } else {
        hash_data(server.ip);     
    }
    # To make sure http users don't see ssl warning   
    if (req.http.SSL-OFFLOADED) {
        hash_data(req.http.SSL-OFFLOADED);
    }

}
sub vcl_backend_response {
    if (beresp.http.content-type ~ "text") {            
        set beresp.do_esi = true;
    }                 
    if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
        set beresp.do_gzip = true;
    }
    # cache only successfully responses and 404s
    if (beresp.status != 200 && beresp.status != 404) {
        set beresp.ttl = 0s;
        set beresp.uncacheable = true;
        return (deliver);
    } elsif (beresp.http.Cache-Control ~ "private") {
        set beresp.uncacheable = true;     
        set beresp.ttl = 86400s;
        return (deliver);
    }
    if (beresp.http.X-Magento-Debug) {               
        set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
    }
    # validate if we need to cache it and prevent from setting cookie
    # images, css and js are cacheable by default so we have to remove cookie also
    if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
        unset beresp.http.set-cookie;
        if (bereq.url !~ "\.(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)(\?|$)") {
            set beresp.http.Pragma = "no-cache";
            set beresp.http.Expires = "-1";
            set beresp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
            set beresp.grace = 1m;
        }
    }
   # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
   if (beresp.ttl <= 0s ||
        beresp.http.Surrogate-control ~ "no-store" ||
        (!beresp.http.Surrogate-Control && beresp.http.Vary == "*")) {
        # Mark as Hit-For-Pass for the next 2 minutes
        set beresp.ttl = 120s;                
        set beresp.uncacheable = true;
    }
    return (deliver);
}
sub vcl_deliver {                
    if (resp.http.X-Magento-Debug) {
        if (resp.http.x-varnish ~ " ") {
            set resp.http.X-Magento-Cache-Debug = "HIT";
        } else {
            set resp.http.X-Magento-Cache-Debug = "MISS";
        }
    } else {
        unset resp.http.Age;
    }
    unset resp.http.X-Magento-Debug;
    unset resp.http.X-Magento-Tags;                     
    unset resp.http.X-Powered-By;
    unset resp.http.Server;
    unset resp.http.X-Varnish;
    unset resp.http.Via;          
    unset resp.http.Link;
}
&#13;
&#13;
&#13;

netstat报告端口:

&#13;
&#13;
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1027/php-fpm: maste 
tcp        0      0 127.0.0.1:9001          0.0.0.0:*               LISTEN      733/hhvm            
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      2721/mysqld         
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      13657/redis-server  
tcp        0      0 0.0.0.0:5131            0.0.0.0:*               LISTEN      1412/proftpd: (acce 
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      997/memcached       
tcp        0      0 127.0.0.1:6380          0.0.0.0:*               LISTEN      1028/redis-server 1 
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      9142/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      9142/nginx: master  
tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      9760/varnishd       
tcp        0      0 127.0.0.1:11000         0.0.0.0:*               LISTEN      2308/lookup-domain- 
tcp        0      0 0.0.0.0:7224            0.0.0.0:*               LISTEN      984/sshd            
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      9142/nginx: master  
tcp        0      0 127.0.0.1:6082          0.0.0.0:*               LISTEN      9760/varnishd       
tcp        0      0 0.0.0.0:17668           0.0.0.0:*               LISTEN      2861/perl           
tcp6       0      0 :::7224                 :::*                    LISTEN      984/sshd    
&#13;
&#13;
&#13;

Varnish重定向请求的日志(有20个;这些是2个):

&#13;
&#13;
*   << Request  >> 294986    
-   Begin          req 294985 rxreq
-   Timestamp      Start: 1496891464.408694 0.000000 0.000000
-   Timestamp      Req: 1496891464.408694 0.000000 0.000000
-   ReqStart       127.0.0.1 4702
-   ReqMethod      GET
-   ReqURL         /
-   ReqProtocol    HTTP/1.0
-   ReqHeader      X-Forwarded-For: 69.227.13.164
-   ReqHeader      X-Forwarded-Host: test.com
-   ReqHeader      Host: test.com
-   ReqHeader      X-Scheme: https
-   ReqHeader      X-Real-IP: 69.227.13.164
-   ReqHeader      X-Forwarded-Proto: https
-   ReqHeader      X-Forwarded-Port: 443
-   ReqHeader      X-Secure: on
-   ReqHeader      Connection: close
-   ReqHeader      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
-   ReqHeader      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-   ReqHeader      Accept-Language: en-US,en;q=0.5
-   ReqHeader      Accept-Encoding: gzip, deflate, br
-   ReqHeader      Cookie: PHPSESSID=344hlkmot8oi8ooop0ugnprc47
-   ReqHeader      DNT: 1
-   ReqHeader      Upgrade-Insecure-Requests: 1
-   ReqUnset       X-Forwarded-For: 69.227.13.164
-   ReqHeader      X-Forwarded-For: 69.227.13.164, 127.0.0.1
-   VCL_call       RECV
-   ReqURL         /
-   ReqUnset       Accept-Encoding: gzip, deflate, br
-   ReqHeader      Accept-Encoding: gzip
-   ReqURL         /
-   ReqURL         /
-   ReqURL         /
-   VCL_return     hash
-   VCL_call       HASH
-   VCL_return     lookup
-   VCL_call       MISS
-   VCL_return     fetch
-   Link           bereq 294987 fetch
-   Timestamp      Fetch: 1496891464.447563 0.038869 0.038869
-   RespProtocol   HTTP/1.1
-   RespStatus     302
-   RespReason     Found
-   RespHeader     Server: nginx
-   RespHeader     Date: Thu, 08 Jun 2017 03:11:04 GMT
-   RespHeader     Content-Type: text/html; charset=UTF-8
-   RespHeader     Location: https://test.com/
-   RespHeader     Pragma: no-cache
-   RespHeader     Cache-Control: max-age=0, must-revalidate, no-cache, no-store
-   RespHeader     Expires: Wed, 08 Jun 2016 03:11:04 GMT
-   RespHeader     X-Magento-Debug: 1
-   RespHeader     X-Content-Type-Options: nosniff
-   RespHeader     X-XSS-Protection: 1; mode=block
-   RespHeader     X-Frame-Options: SAMEORIGIN
-   RespHeader     X-Config-By: Honey
-   RespHeader     X-Processing-Time: 0.039
-   RespHeader     X-Request-ID: ce5053ee7177817d0d8f612aff673a32
-   RespHeader     X-UA-Compatible: IE=Edge,chrome=1
-   RespHeader     Link: <http://test.com/>; rel="canonical"
-   RespHeader     Content-Encoding: gzip
-   RespHeader     Vary: Accept-Encoding
-   RespHeader     X-Varnish: 294986
-   RespHeader     Age: 0
-   RespHeader     Via: 1.1 varnish-v4
-   VCL_call       DELIVER
-   RespHeader     X-Magento-Cache-Debug: MISS
-   RespUnset      X-Magento-Debug: 1
-   RespUnset      Server: nginx
-   RespUnset      X-Varnish: 294986
-   RespUnset      Via: 1.1 varnish-v4
-   RespUnset      Link: <http://test.com/>; rel="canonical"
-   VCL_return     deliver
-   Timestamp      Process: 1496891464.447622 0.038928 0.000059
-   RespHeader     Content-Length: 20
-   Debug          "RES_MODE 2"
-   RespHeader     Connection: close
-   Timestamp      Resp: 1496891464.447669 0.038975 0.000047
-   ReqAcct        540 0 540 600 20 620
-   End            

*   << Session  >> 294985    
-   Begin          sess 0 HTTP/1
-   SessOpen       127.0.0.1 4702 127.0.0.1:8081 127.0.0.1 8081 1496891464.408655 19
-   Link           req 294986 rxreq
-   SessClose      RESP_CLOSE 0.039
-   End  
&#13;
&#13;
&#13;

1 个答案:

答案 0 :(得分:0)

您似乎已向<If "-R '192.0.0.1'"> SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on </If> 发布了重定向,因为您的后端并不知道它是通过HTTPS提供的(并且可能是您将其配置为,因此它会生成https链接等)。你需要说服Magento使用HTTPS,即使它看起来不是这样。在与Apache类似的设置中,我使用:

ngModelChange

不确定NGINX的语法是什么,但希望这会让你走上正轨。