Fatal编程技术网
  • symfony/
  • Symfony生产网站不强制使用https(使用nginx)

Symfony生产网站不强制使用https(使用nginx)

symfony nginx https

Symfony生产网站不强制使用https(使用nginx),symfony,nginx,https,Symfony,Nginx,Https,在我的app/config/security.yml文件中,我有: access_control: - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https } 在使用symfony内置服务器的开发中,如果我转到localhost/login,它会将我

在我的app/config/security.yml文件中,我有:

access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
    - { path: ^/admin, roles: ROLE_ADMIN, requires_channel: https }
在使用symfony内置服务器的开发中,如果我转到localhost/login,它会将我重定向到https://localhost/login.

但是,在我的生产站点中,转到example.com/login,我只看到登录页面。浏览器指示连接不安全

我的直觉认为这可能与nginx配置文件有关

server {
        listen       80;
        listen       443 ssl;
        server_name  example.com;
        root /var/www/symfony/web;

        client_max_body_size 500M;

        location / {
             # try to serve file directly, fallback to app.php
             index app.php;
             try_files $uri @rewriteapp;
        }

        location @rewriteapp {
             rewrite ^(.*)$ /app.php/$1 last;
        }

        location ~ ^/app\.php(/|$) {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param HTTPS on;
        }
        error_log /var/log/nginx/adam_error.log;
        access_log /var/log/nginx/adam_access.log;
    }
我或多或少是从中抄袭的

还有几件事需要注意:如果symfony ie在内部将我重定向到登录页面,如果我尝试访问/admin受限路由,或者在不安全连接上登录失败,我确实会被路由到安全页面https://example.com/login url,但显然这还不够好,我不希望任何人进入example.com/login并且没有安全连接

有人能发现哪里出了问题吗?

要在Nginx上强制使用HTTPS,您必须修改Nginx配置文件,如下所示:

server {
    listen 80;

    location /login {
         return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;

    # let the browsers know that we only accept HTTPS
    add_header Strict-Transport-Security max-age=2592000;

    #Put the rest of your config here
}
来源:

要在Nginx上强制使用HTTPS,您必须修改Nginx配置文件,如下所示:

server {
    listen 80;

    location /login {
         return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;

    # let the browsers know that we only accept HTTPS
    add_header Strict-Transport-Security max-age=2592000;

    #Put the rest of your config here
}
资料来源:

好吧,我想出来了。在我的nginx配置中:

fastcgi_param HTTPS on;
是什么导致了这个问题。事实证明,当它设置为on时,如果初始端口为80,它不会强制重定向到https。我猜symfony认为此配置下的端口80是https,当它设置为off时,它会导致无限重定向。nginx将url重定向到端口80,symfony将url重定向到端口443

因此,解决方案是,如果是端口80,则将其关闭,如果是端口443,则将其打开ssl端口

这就是我的nginx.conf现在的样子:

server {
        listen       80;
        listen       443 ssl;
        server_name  example.com;
        root /path/to/symfony_directory/web;

        #if your version of nginx is < 1.11.11, uncomment these next two lines
        #as $https will not be defined.
        #if ($server_port = 443) { set $https on; }
        #if ($server_port = 80) { set $https off; }

        location / {
             # try to serve file directly, fallback to app.php                                        
             # try_files $uri /app.php$is_args$args;                                                  
             index app.php;
             try_files $uri @rewriteapp;
        }

        location @rewriteapp {
             rewrite ^(.*)$ /app.php/$1 last;
        }

        location ~ ^/app\.php(/|$) {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

            #NOTE THAT "$https" is defined by nginx to be 
            # "on" if port 443 and off for port 80 (for version > 1.1.11)
            fastcgi_param HTTPS $https; 

        }
    }
好吧,我知道了。在我的nginx配置中:

fastcgi_param HTTPS on;
是什么导致了这个问题。事实证明,当它设置为on时,如果初始端口为80,它不会强制重定向到https。我猜symfony认为此配置下的端口80是https,当它设置为off时,它会导致无限重定向。nginx将url重定向到端口80,symfony将url重定向到端口443

因此,解决方案是,如果是端口80,则将其关闭,如果是端口443,则将其打开ssl端口

这就是我的nginx.conf现在的样子:

server {
        listen       80;
        listen       443 ssl;
        server_name  example.com;
        root /path/to/symfony_directory/web;

        #if your version of nginx is < 1.11.11, uncomment these next two lines
        #as $https will not be defined.
        #if ($server_port = 443) { set $https on; }
        #if ($server_port = 80) { set $https off; }

        location / {
             # try to serve file directly, fallback to app.php                                        
             # try_files $uri /app.php$is_args$args;                                                  
             index app.php;
             try_files $uri @rewriteapp;
        }

        location @rewriteapp {
             rewrite ^(.*)$ /app.php/$1 last;
        }

        location ~ ^/app\.php(/|$) {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

            #NOTE THAT "$https" is defined by nginx to be 
            # "on" if port 443 and off for port 80 (for version > 1.1.11)
            fastcgi_param HTTPS $https; 

        }
    }
谢谢,但我不希望整个站点强制使用https连接,我希望https在symfony指定的特定路由/登录下强制使用。谢谢,但我不希望整个站点强制使用https连接,我希望https在symfony指定的特定路由/登录下强制使用。