Why does my site not work when caching the js format?

A

Anatoly2019-01-29 01:17:41

Fonts

Anatoly, 2019-01-29 01:17:41

Why, when I add js format caching to the configuration, phpmyadmin stops opening for me, although the main site opens.
Site call: https://mysite.com (substitute fake domain)
phpMyAdmin call: https://mysite.com/phpmyadmin
Nginx configuration part:

here

location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
}

location ~ \.php$ {
        try_files $uri =444;
        fastcgi_pass backend7;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include fastcgi_params;
}

location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        rewrite /.well-know/acme-challenge/(.*) /$1 break;
        allow all;
        root /var/www;
}


location = /.well-known/acme-challenge/ {
    return 404;
}


location ~* \.(eot|otf|ttf|woff|woff2)$ {
    add_header Access-Control-Allow-Origin *;
}


location ~* ^.+.(webp|gif|jpeg|jpg|png|tif|tiff|ico|rar|zip|cur)$ {
        expires 30d;
        access_log off;
        log_not_found off;
}

location ~* ^.+.(css|svg|txt|doc|pdf|rtf|xls|ppt|js)$ {
        expires 1d;
        access_log   off;
        log_not_found    off;
        gzip_static on;
        add_header Cache-Control private;
        add_header Vary Accept-Encoding;
}

location /phpmyadmin/ {
        alias /var/www/phpmyadmin/;
        location ~ \.php$ {
                fastcgi_pass backend7;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_ignore_client_abort off;
        }
}

rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite /phpmyadmin$ $scheme://$host$uri/ permanent;

js is in the line:

location ~* ^.+.(css|svg|txt|doc|pdf|rtf|xls|ppt|js)$ {

If you remove it, then everything works, the question is why?
And why is this problem only with phpMyAdmin?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

stratagema, 2016-06-10
@stratagema

искать у Паратайпа :-)
и потом еще извращаться с бОльшим наклоном

A

Anatoly, 2019-02-07
@Tolly

1. When enabled in nginx:
in the chrome console, when I start phpmyadmin I get:
As you can see, the protection was applied twice, i.e. this phpMyAdmin protection is already built in, we check (the domain was replaced with a fake one):
a) Site mysite.com

HTTP/2 200
server: nginx
date: Thu, 07 Feb 2019 15:36:15 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
link: <https://mysite.com/wp-json/>; rel="https://api.w.org/"
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-cache
strict-transport-security: max-age=63072000
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block;

b) mysite.com/phpmyadmin/index.php

HTTP/2 200
server: nginx
date: Thu, 07 Feb 2019 15:38:07 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
set-cookie: pma_lang=en; expires=Sat, 09-Mar-2019 15:38:07 GMT; Max-Age=2592000; path=/phpmyadmin/; secure; HttpOnly
set-cookie: phpMyAdmin=bt28h1km40qsqau05np1a2qt6k; path=/phpmyadmin/; secure; HttpOnly
x-ob_mode: 1
x-frame-options: DENY
referrer-policy: no-referrer
content-security-policy: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';
x-content-security-policy: default-src 'self' ;options inline-script eval-script;referrer no-referrer;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';
x-webkit-csp: default-src 'self' ;script-src 'self'  'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-cache
pragma: no-cache
last-modified: Thu, 07 Feb 2019 15:38:07 +0000
vary: Accept-Encoding
strict-transport-security: max-age=63072000
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block;

we see that the line x-xss-protection: 1; mode=block is used twice, hence the error
Solution: phpmyadmin/libraries/classes/Header.php delete lines 599-601.
2) After changing phpmyadmin settings:

location ^~ /phpmyadmin {
        alias /var/www/phpmyadmin/;
        location ~ \.php$ {
                fastcgi_pass backend7;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_ignore_client_abort off;
        }

        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
                access_log off;
                log_not_found off;
                expires 1M;
        }
}

phpMyAdmin loads normally, despite the fact that the settings at the level above have not changed, but now it doesn’t matter to js, everything works

K

ky0, 2019-01-29
@ky0

Too lazy to explore, just point to the sky - maybe PMA slips something new in the js-file every time, changes some IDs and does not let them go with the old ones?