Symfony 在vhost或security.yml/routing.yml中强制SSL时的无限循环
我正在使用Symphony 2.6和Nginx 1.4。这个问题已经被问了好几次,但所有提供的答案或解决方案都不适合我 我希望新的Linux计数器项目完全只使用SSL,但无论我在nginx的vhost文件中设置重定向到端口443,还是将必需的\u通道https添加到security.yml,或者将[https]添加到routing.yml,在访问页面时,一切都会导致无限循环 尽管如此,SSL仍然可以正常工作。当从vhost文件中删除所有重定向以及从security.yml和routing.yml中删除https内容时,一切正常,您可以访问,例如:没有任何问题 这是不强制SSL的vhost文件:Symfony 在vhost或security.yml/routing.yml中强制SSL时的无限循环,symfony,ssl,nginx,https,Symfony,Ssl,Nginx,Https,我正在使用Symphony 2.6和Nginx 1.4。这个问题已经被问了好几次,但所有提供的答案或解决方案都不适合我 我希望新的Linux计数器项目完全只使用SSL,但无论我在nginx的vhost文件中设置重定向到端口443,还是将必需的\u通道https添加到security.yml,或者将[https]添加到routing.yml,在访问页面时,一切都会导致无限循环 尽管如此,SSL仍然可以正常工作。当从vhost文件中删除所有重定向以及从security.yml和routing.yml
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* ^/user/([0-9]+)\.html$ {
root /srv/www.linuxcounter.net/web;
rewrite /user/([0-9]+)\.html /user/$1 last;
internal;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 443 default;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
return 301 https://www.linuxcounter.net$request_uri;
}
server {
listen 443 ssl;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 512M;
# ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
syw_front_main:
resource: "@SywFrontMainBundle/Controller/"
type: annotation
prefix: /
host: %base_host%
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
host: %base_host%
easy_admin_bundle:
resource: "@EasyAdminBundle/Controller/"
type: annotation
prefix: /admin
host: %base_host%
shtumi_useful:
resource: '@ShtumiUsefulBundle/Resources/config/routing.xml'
host: %base_host%
blade_tester_light_news_bundle:
resource: "@BladeTesterLightNewsBundle/Resources/config/routing.yml"
prefix: /news
host: %base_host%
syw_front_api:
resource: "@SywFrontApiBundle/Controller/"
type: annotation
prefix: /
host: %api_host%
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /admin, role: ROLE_ADMIN }
这是强制使用SSL的vhost文件:
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* ^/user/([0-9]+)\.html$ {
root /srv/www.linuxcounter.net/web;
rewrite /user/([0-9]+)\.html /user/$1 last;
internal;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 443 default;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
return 301 https://www.linuxcounter.net$request_uri;
}
server {
listen 443 ssl;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 512M;
# ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
syw_front_main:
resource: "@SywFrontMainBundle/Controller/"
type: annotation
prefix: /
host: %base_host%
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
host: %base_host%
easy_admin_bundle:
resource: "@EasyAdminBundle/Controller/"
type: annotation
prefix: /admin
host: %base_host%
shtumi_useful:
resource: '@ShtumiUsefulBundle/Resources/config/routing.xml'
host: %base_host%
blade_tester_light_news_bundle:
resource: "@BladeTesterLightNewsBundle/Resources/config/routing.yml"
prefix: /news
host: %base_host%
syw_front_api:
resource: "@SywFrontApiBundle/Controller/"
type: annotation
prefix: /
host: %api_host%
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /admin, role: ROLE_ADMIN }
一旦我用端口80上重定向到SSL的vhost文件替换vhost文件,那么在所有页面、链接或路由上就只能得到无限循环
因此,当浏览到时,/login会被重新加载15或20次301重定向,直到出现无限循环的错误消息
但是对于第一个vhost文件,整个页面都可以使用https://而没有问题
这是我的路线。yml:
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* ^/user/([0-9]+)\.html$ {
root /srv/www.linuxcounter.net/web;
rewrite /user/([0-9]+)\.html /user/$1 last;
internal;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 443 default;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
return 301 https://www.linuxcounter.net$request_uri;
}
server {
listen 443 ssl;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 512M;
# ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
syw_front_main:
resource: "@SywFrontMainBundle/Controller/"
type: annotation
prefix: /
host: %base_host%
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
host: %base_host%
easy_admin_bundle:
resource: "@EasyAdminBundle/Controller/"
type: annotation
prefix: /admin
host: %base_host%
shtumi_useful:
resource: '@ShtumiUsefulBundle/Resources/config/routing.xml'
host: %base_host%
blade_tester_light_news_bundle:
resource: "@BladeTesterLightNewsBundle/Resources/config/routing.yml"
prefix: /news
host: %base_host%
syw_front_api:
resource: "@SywFrontApiBundle/Controller/"
type: annotation
prefix: /
host: %api_host%
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /admin, role: ROLE_ADMIN }
这是我的安全。yml:
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* ^/user/([0-9]+)\.html$ {
root /srv/www.linuxcounter.net/web;
rewrite /user/([0-9]+)\.html /user/$1 last;
internal;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 443 default;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
return 301 https://www.linuxcounter.net$request_uri;
}
server {
listen 443 ssl;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 512M;
# ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
syw_front_main:
resource: "@SywFrontMainBundle/Controller/"
type: annotation
prefix: /
host: %base_host%
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
host: %base_host%
easy_admin_bundle:
resource: "@EasyAdminBundle/Controller/"
type: annotation
prefix: /admin
host: %base_host%
shtumi_useful:
resource: '@ShtumiUsefulBundle/Resources/config/routing.xml'
host: %base_host%
blade_tester_light_news_bundle:
resource: "@BladeTesterLightNewsBundle/Resources/config/routing.yml"
prefix: /news
host: %base_host%
syw_front_api:
resource: "@SywFrontApiBundle/Controller/"
type: annotation
prefix: /
host: %api_host%
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /admin, role: ROLE_ADMIN }
对我来说,一切似乎都很正常
但我不能让它工作
所以,我想要的是:
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* ^/user/([0-9]+)\.html$ {
root /srv/www.linuxcounter.net/web;
rewrite /user/([0-9]+)\.html /user/$1 last;
internal;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 443 default;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
server {
listen 80;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
return 301 https://www.linuxcounter.net$request_uri;
}
server {
listen 443 ssl;
server_name www.linuxcounter.net api.linuxcounter.net linuxcounter.net;
root /srv/www.linuxcounter.net/web;
client_max_body_size 512M;
# ssl on;
ssl_certificate /etc/nginx/ssl/2015-04-02-www.linuxcounter.net-cert-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2015-04-02-www.linuxcounter.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
ssl_prefer_server_ciphers on;
location ~ ^/update\.php(/|$) {
root /srv/www.linuxcounter.net/web;
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
}
location / {
try_files $uri /app.php$is_args$args;
}
location ~* /(cert|mcert)/[0-9]+\.png$ {
root /srv/www.linuxcounter.net/web;
rewrite /(cert|mcert)/[0-9]+\.png /app.php last;
expires -1;
add_header Cache-Control private;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass php;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
internal;
}
location ~* \.(js|jpg|png|css)$ {
root /srv/www.linuxcounter.net/web;
expires 30d;
}
error_log /LOGS/www.linuxcounter.net_error_log;
access_log /LOGS/www.linuxcounter.net_access_log;
}
syw_front_main:
resource: "@SywFrontMainBundle/Controller/"
type: annotation
prefix: /
host: %base_host%
fos_user:
resource: "@FOSUserBundle/Resources/config/routing/all.xml"
host: %base_host%
easy_admin_bundle:
resource: "@EasyAdminBundle/Controller/"
type: annotation
prefix: /admin
host: %base_host%
shtumi_useful:
resource: '@ShtumiUsefulBundle/Resources/config/routing.xml'
host: %base_host%
blade_tester_light_news_bundle:
resource: "@BladeTesterLightNewsBundle/Resources/config/routing.yml"
prefix: /news
host: %base_host%
syw_front_api:
resource: "@SywFrontApiBundle/Controller/"
type: annotation
prefix: /
host: %api_host%
# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
FOS\UserBundle\Model\UserInterface: sha512
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
# in_memory:
# memory:
# users:
# user: { password: userpass, roles: [ 'ROLE_USER' ] }
# admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
form_login:
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: fos_user_profile_show
use_referer: true
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /admin, role: ROLE_ADMIN }
如果有人访问http://*linuxcounter.net,那么他应该通过301重定向到https://*linuxcounter.net好的。。。经过几个小时的尝试和测试,我现在找到了一个不是很理想的解决方案,但它正在工作 我现在只是在Symfony的/app.php顶部执行重定向:
if ($_SERVER["HTTP_X_FORWARDED_PROTO"] == "http") {
$redir = "Location: https://www.linuxcounter.net" . $_SERVER["REQUEST_URI"];
header($redir);
exit();
}
这是可行的,不会产生任何无限循环。为什么不使用symfony,因为它本来就是要使用的
我在许多项目中使用这种设置。现在,如果重定向在没有任何其他设置的情况下工作,我不是100%,但如果没有,我明天可以查找它。我觉得应该行,试试看。好的。。。现在,我已经在另一个子域上测试了实际的vhost文件,该子域只有一个简单的index.php,其中包含一个简单的echo。这很有魅力。。。所以问题一定出在symfony的某个地方……现在我已经用一个自签名证书和linuxcounter的symfony应用程序在本地进行了尝试。由于所有内容都在git中并自动部署,因此源代码是相同的。在当地,一切都像一种魅力。。。访问时的重定向http://... 正在工作并且只有一次,然后我可以在上浏览页面https://... 应该是。。。没有任何问题。然后我将此配置推送到实时服务器,激活同一vhost文件并重新启动服务器。。。而且。。。无限循环。。。我放弃。。。因为似乎没有人想要或可以帮助我。。。我迷路了…一开始我已经试过了,但没有成功。不管怎么说,我现在这样做的方式很有魅力,这对我来说是最重要的。