Answer the question
In order to leave comments, you need to log in
B
B
BanterFace2018-06-01 21:09:41
BanterFace, 2018-06-01 21:09:41
How to understand how to redirect a site from http to https?
Initial data: ubuntu 14.04; strange bunch of apache and nginx, not supplied by me; Vesta; hosted by all this phpBB 3.2; a stubborn newbie with no money for a freelancer to fix it all (=me).
Background: ssl certificate was supplied with acmetool, webroot. Before that, more traditional and popular programs (certbot, letsencrypt) did not work because they could not find the file in well-known, although it was opened from the browser.
Problem 1: when loading a site via https, a "mixed content" error appears, i.e. some files are loaded via http (because of their paths).
Problem 2: unknown mechanism for redirecting from http to https: after reviewing the configs of nginx and apache (and disabling code snippets for testing hypotheses) (both are attached below), I did not find at least something that affects the redirect. .htaccess also does not contain anything influencing.
Issue 3: When opening files that were loaded via http at their http address in the browser, we are redirected to https.
The solution I'm hoping for is to find a redirect that works now, turn it off, use something traditional like an .htaccess entry.
Opening up:
nginx.conf
И я бы подумал на HSTS, но он подключается УЖЕ на 443, т.е. это не может быть переадресацией.
На всякий случай отключал весь блок с ssl, на переадресацию не повлияло. Я не понимаю, зачем нужен прокси в апач, но если удалить блок с ним, то файлы загружаются вместо того чтобы отобразиться в браузере. Даже .php, хотя его в списке расширений нет.
# Server globals
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 256m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
# Cloudflare https://www.cloudflare.com/ips
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
#set_real_ip_from 2400:cb00::/32;
#set_real_ip_from 2606:4700::/32;
#set_real_ip_from 2803:f800::/32;
#set_real_ip_from 2405:b500::/32;
#set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;
# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
resolver 8.8.8.8;
# ssl_ciphers "не важно";
# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;
# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# File cache settings
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
server {
listen 443 ssl;
server_name calmsector.ru;
root /home/admin/web/calmsector.ru/public_html/;
index index.php index.html index.htm;
keepalive_timeout 60;
ssl_certificate /var/lib/acme/live/calmsector.ru/cert;
ssl_certificate_key /var/lib/acme/live/calmsector.ru/privkey;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers "не важно";
add_header Strict-Transport-Security 'max-age=604800';
error_log /var/log/apache2/domains/calmsector.ru.error.log error;
location /.well-known/acme-challenge/ {
alias /var/run/acme/acme-challenge/;
}
location / {
proxy_pass http://185.161.210.160:8080;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/admin/web/calmsector.ru/public_html;
access_log /var/log/apache2/domains/calmsector.ru.log combined;
access_log /var/log/apache2/domains/calmsector.ru.bytes bytes;
expires max;
}
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
}
}И я бы подумал на HSTS, но он подключается УЖЕ на 443, т.е. это не может быть переадресацией.
На всякий случай отключал весь блок с ssl, на переадресацию не повлияло. Я не понимаю, зачем нужен прокси в апач, но если удалить блок с ним, то файлы загружаются вместо того чтобы отобразиться в браузере. Даже .php, хотя его в списке расширений нет.
ip.conf
Опять прокси на апач...
server {
listen 185.161.210.160:80 default;
server_name _;
#access_log /var/log/nginx/185.161.210.160.log main;
location / {
proxy_pass http://185.161.210.160:8080;
}
}Опять прокси на апач...
apache2.conf
Почти полностью состоит из комментариев, ни намёка на переадресацию.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf.d
# | `-- *
# Global configuration
PidFile ${APACHE_PID_FILE}
Timeout 30
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 10
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 200
MaxRequestsPerChild 4000
</IfModule>
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#User www-data
#Group www-data
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>
DefaultType None
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf
# Include list of ports to listen on and which to use for name based vhosts
Include ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%b" bytes
Include conf.d/
# Include the virtual host configurations:
#Include sites-enabled/Почти полностью состоит из комментариев, ни намёка на переадресацию.
Question: what could be the problem \ where else to dig \ what other backend-managed redirect methods can be used?
2 answer(s)
@martin74ua
@fzfx
R
Ruslan Fedoseev, 2018-06-02 @martin74ua
Include conf.d/
in apache config - includes your website config. Take a look at this directory.
Apache is used as an executor for php. Nginx does not know how to execute php at all, this is done either by redirecting to Apache, or to php-fpm
V
vreitech, 2018-06-01 @fzfx
open your site's home page in your browser's page source viewer. from about the middle of the site, the links look like:
this is the reason why the site has mixed content. replace all such links somewhere in the bowels of the admin panel of your site with href="viewtopic.php?p=299745#p299745"and you will be happy.
Similar questions
D
A
P
H
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question