本文将介绍nginx代理背后的Wordpress生成不正确的链接的详细情况，特别是关于nginx部署wordpress的相关信息。我们将通过案例分析、数据研究等多种方式，帮助您更全面地了解这个主题，同

本文将介绍nginx 代理背后的 Wordpress 生成不正确的链接的详细情况，特别是关于nginx部署wordpress的相关信息。我们将通过案例分析、数据研究等多种方式，帮助您更全面地了解这个主题，同时也将涉及一些关于12.13 Nginx 防盗链 12.14 Nginx 访问控制 12.15 Nginx 解析 php 相关配置 12.16 Nginx 代理、6 月 11 日任务 Nginx 防盗链、Nginx 访问控制、Nginx 解析 php 相关配置、Nginx 代理、Apache 代理背后的 Gitlab-runner 交互式网络终端 编辑使用 GitLab Runner 版本、Apache2 代理背后的 Symfony 5.3 有意外行为浏览器中 ProxyPass/ProxyPassReverse 的 URL 不正确 我希望设置做什么：现实生活中会发生什么：我想要什么让事情变得更糟问题附加信息的知识。

• nginx 代理背后的 Wordpress 生成不正确的链接（nginx部署wordpress）
• 12.13 Nginx 防盗链 12.14 Nginx 访问控制 12.15 Nginx 解析 php 相关配置 12.16 Nginx 代理
• 6 月 11 日任务 Nginx 防盗链、Nginx 访问控制、Nginx 解析 php 相关配置、Nginx 代理
• Apache 代理背后的 Gitlab-runner 交互式网络终端 编辑使用 GitLab Runner 版本
• Apache2 代理背后的 Symfony 5.3 有意外行为浏览器中 ProxyPass/ProxyPassReverse 的 URL 不正确 我希望设置做什么：现实生活中会发生什么：我想要什么让事情变得更糟问题附加信息

nginx 代理背后的 Wordpress 生成不正确的链接（nginx部署wordpress）

如何解决nginx 代理背后的 Wordpress 生成不正确的链接

我有一个在 ngnix 代理 docker 后面使用的 wordpress docker。 我在 wp-config.php 中有这些设置：

if($_SERVER[''HTTP_X_FORWARDED_PROTO''] == ''https''){
    $_SERVER[''HTTPS''] = ''on'';
    $_SERVER[''SERVER_PORT''] = 443;
}

还有这些设置：

define(''WP_HOME'',''https://wp.Nginx/'');
define(''WP_SITEURL'',''https://wp.Nginx/'');

在 Nginx 代理配置文件中，我在位置部分添加了这些设置：

location / {
                proxy_pass http://wordpress;
                proxy_set_header   Host              $host;
                proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header   X-Forwarded-Proto $scheme;
                proxy_set_header   X-Forwarded-Host $host;
        }

不幸的是，网站资产没有加载，管理面板资产也没有加载。尽管协议是正确的 (https)，​​但资产链接使用内部 wordpress docker ip 地址 (172.18.0.2)。这是网络请求的图片

如果有人能帮忙我会很高兴

12.13 Nginx 防盗链 12.14 Nginx 访问控制 12.15 Nginx 解析 php 相关配置 12.16 Nginx 代理

12.13 Nginx 防盗链

因为该配置也使用 location 板块，所以本节可结合日志管理（不记录和过期时间）一起配置：

[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
#定义referer白名单
    if ($invalid_referer) {
        return 403;
#if函数的意思是：如果不是白名单内的域名，返回值：403
    }
    access_log off;
}

说明： “location ~* ^.+” 在此 0“ * ” 的作用是后面匹配的内容不区分大小写。

检测及测试

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# ls /data/wwwroot/test.com/
1.gif  2.js  admin  index.html
[root@cham002 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 13:54:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@cham002 ~]# curl -e "http://www.test.com/1.txt" -x127.0.0.1:80 -I test.com/1.gif
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 03 Jan 2018 13:55:14 GMT
Content-Type: image/gif
Content-Length: 32
Last-Modified: Wed, 03 Jan 2018 13:34:18 GMT
Connection: keep-alive
ETag: "5a4cdbda-20"
Expires: Wed, 10 Jan 2018 13:55:14 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

即，使用非白名单内的 referer 进行访问，被拒绝！！！

12.14 Nginx 访问控制

需求：访问 /admin/ 目录的请求，只允许几个指定 IP 通过，配置如下：

[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ''test.com'' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
   # {
   #       expires      7d;
   #       access_log off;
   # }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}


    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
       allow 127.0.0.1;
       allow 192.168.230.135;
       deny all;
#设置IP白名单
    }

    access_log /tmp/test.com.log cham;
}


[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload

测试 (针对目录的)

[root@cham002 ~]# curl -e "http://www.baidu.com/1.txt" -x127.0.0.1:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 07:59:16 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# curl -x192.168.230.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:01:00 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# curl -x192.168.230.135:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:01:14 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
[root@cham002 ~]# curl -x192.168.230.150:80 -I test.com/admin/
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:01:37 GMT
Content-Type: text/html
Content-Length: 20
Last-Modified: Wed, 03 Jan 2018 08:50:53 GMT
Connection: keep-alive
ETag: "5a4c996d-14"
Accept-Ranges: bytes

[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"

[root@cham002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.230.135  netmask 255.255.255.0  broadcast 192.168.230.255
        inet6 fe80::6f15:52d3:ebeb:e193  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:9f:e3  txqueuelen 1000  (Ethernet)
        RX packets 96831  bytes 41894507 (39.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60974  bytes 20136998 (19.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.230.150  netmask 255.255.255.0  broadcast 192.168.230.255
        ether 00:0c:29:b6:9f:e3  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::1801:cbbb:ebcc:89a3  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:9f:ed  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 746 (746.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 81  bytes 6462 (6.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 1363  bytes 1359483 (1.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1363  bytes 1359483 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@cham002 ~]# curl -x192.168.100.1:80 test.com/admin/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.100.1 - [04/Jan/2018:16:05:14 +0800] test.com "/admin/" 403 "-" "curl/7.29.0

访问控制（针对正则匹配）

[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 
server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ''test.com'' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
   # {
   #       expires      7d;
   #       access_log off;
   # }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}


    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
       allow 127.0.0.1;
       allow 192.168.230.135;
       deny all;
    }

    location ~ .*(upload|image)/.*\.php$
    {
        deny all;
    }


    access_log /tmp/test.com.log cham;
}

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# mkdir /data/wwwroot/test.com/upload
[root@cham002 ~]# echo "11111" > /data/wwwroot/test.com/upload/1.php

测试

[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>


[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt
11111
看日志
[root@cham002 ~]# cat /tmp/test.com.log
127.0.0.1 - [03/Jan/2018:21:35:36 +0800] test.com "/index.html" 200 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:15:59:16 +0800] test.com "/admin/" 200 "http://www.baidu.com/1.txt" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:00 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:14 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.230.135 - [04/Jan/2018:16:01:37 +0800] test.com "/admin/" 200 "-" "curl/7.29.0"
192.168.100.1 - [04/Jan/2018:16:05:14 +0800] test.com "/admin/" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:16:15:46 +0800] test.com "/upload/1.php" 403 "-" "curl/7.29.0"
127.0.0.1 - [04/Jan/2018:16:16:46 +0800] test.com "/upload/1.txt" 200 "-" "curl/7.29.0"

针对 user_agent 限制

server
{
    listen 80;
    server_name test.com test2.com test3.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != ''test.com'' ) {
        rewrite  ^/(.*)$  http://test.com/$1  permanent;
    }
   # location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
   # {
   #       expires      7d;
   #       access_log off;
   # }
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
    if ($invalid_referer) {
        return 403;
    }
    access_log off;
}


    location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }
    location /admin/
    {
       allow 127.0.0.1;
       allow 192.168.230.135;
       deny all;
    }

    location ~ .*(upload|image)/.*\.php$
    {
        deny all;
    }
    
    if ($http_user_agent ~ ''Spider/3.0|YoudaoBot|Tomato'')
    {
      return 403;
    }



    access_log /tmp/test.com.log cham;
}
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# curl -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:22:45 GMT
Content-Type: text/plain
Content-Length: 6
Last-Modified: Thu, 04 Jan 2018 08:16:39 GMT
Connection: keep-alive
ETag: "5a4de2e7-6"
Accept-Ranges: bytes

[root@cham002 ~]# curl -A "Tomatodsfsdf" -x127.0.0.1:80 test.com/upload/1.txt -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 08:23:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

说明: deny all 和 return 403 效果一样

12.15 Nginx 解析 PHP 相关配置

核心配置：
[root@cham002 ~]# vim /usr/local/nginx/conf/vhost/test.com.conf 

 location ~ \.php$
    {
        include fastcgi_params;
        #fastcgi_pass unix:/tmp/php-fcgi.sock;
        fastcgi_pass 127.0.0.1:9000;
##fastcgi_pass两种监听格式，但是要保证Nginx和php-fpm中格式一致
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
    }

[root@cham002 ~]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
#listen = /tmp/php-fcgi.sock
listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

[root@cham002 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@cham002 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@cham002 ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

[root@cham002 ~]# curl -x 127.0.0.1:80 test.com/3.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Thu, 04 Jan 2018 10:44:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

注： 在此注意两点，fastcgi_pass 有两种格式，但是无论使用哪种格式都有保证 Nginx 和 php-fpm 中格式一致，否则会报错 502；fastcgi _param SCRIPT _FILENAME 所在行的路径要和 root 路径一致！

12.16 Nginx 代理

Nginx 代理是一种反向代理。反向代理（Reverse Proxy）方式是指以代理服务器来接受 Internet 上的连接请求，然后将请求转发给内部网络上的服务器；并将从服务器上得到的结果返回给 Internet 上请求连接的客户端，此时代理服务器对外就表现为一个服务器。

工作原理

Nginx 代理是在一台代理服务器中自定义一个域名，该域名指向一个 IP，然后将用户的请求通过这台代理服务器访问指定的 IP 所对应的 web 服务器。

graph LR
用户-->代理服务器
代理服务器-->用户
代理服务器-->web服务器
web服务器-->代理服务器

[root@cham002 ~]# cd /usr/local/nginx/conf/vhost
[root@cham002 vhost]# vim proxy.conf 

server
{
    listen 80;
    server_name ask.apelearn.com;
 #定义域名（一般和被代理ip的域名保持一致）

    location /
    {
        proxy_pass      http://121.201.9.155/;
#指定被代理（被访问）的IP（web服务器IP）
        proxy_set_header Host   $host;
#$host指的是代理服务器的servername（也是被代理IP的域名）
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

说明： 因为该虚拟主机只用作代理服务器，不需要访问本地文件，所以不需要设置根目录。

没有设置代理前
[root@cham002 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>
[root@cham002 vhost]# 

[root@cham002 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@cham002 vhost]# /usr/local/nginx/sbin/nginx -s reload
设置代理后
[root@cham002 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@cham002 vhost]# 

6 月 11 日任务 Nginx 防盗链、Nginx 访问控制、Nginx 解析 php 相关配置、Nginx 代理

12.13 Nginx 防盗链

修改配置文件

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
expires 7d;
valid_referers none blocked server_names  *.abc.com ;
if ($invalid_referer) {
return 403;
}
access_log off;
}

测试: 

curl -e "http://www.abc.com/" -x127.0.0.1:80 -I abc.com/1.jpg

12.14 Nginx 访问控制

修改配置文件  

#按目录匹配

location /
{
allow 127.0.0.1;
deny all;
}

#可以匹配正则

location ~ .*(upload|image)/.*\.php$     

{

        deny all;

}

#根据 user_agent 限制

if ($http_user_agent ~* ''Spider/3.0|YoudaoBot|Tomato'')   // 匹配符号后面 +* 忽略大小写

{

      return 403;

}

 deny all 和 return 403 效果一样

12.15 Nginx 解析 php 相关配置

location ~ \.php$
{
fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include     fastcgi_params;

fastcgi_pass 配置对应的参数  是 sock  还是 ip  否则 502 错误

listen.mode = 666     监听 sock 不定义 mode sock 文件权限 440  

12.16 Nginx 代理

1. 新建配置文件  proxy.conf

server
{
    listen 80;
    server_name 111.com;      // 本机域名
    location /
    {
        proxy_pass      http://106.39.167.118:80/;     // 目标服务器
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Apache 代理背后的 Gitlab-runner 交互式网络终端 编辑使用 GitLab Runner 版本

如何解决Apache 代理背后的 Gitlab-runner 交互式网络终端 编辑使用 GitLab Runner 版本

总结

我目前正在尝试在我自托管的 Gitlab 实例上设置不错的 Web 终端功能。但我无法让它正常运行。调试也是一项相当困难的任务。

环境描述/重现步骤

Gitlab 版本：GitLab 社区版 13.9.0 Gitlab 运行器与 Gitlab 在同一台机器上：在配置了多个运行器的 docker-container 中运行。 docker ps 的输出（正确转发端口 8093）：

CONTAINER ID   IMAGE                         COMMAND                  CREATED        STATUS        PORTS                                                                                                                                                                                                                               NAMES
CONTAINERID    gitlab/gitlab-runner:latest   "/usr/bin/dumb-init …"   15 hours ago   Up 12 hours   0.0.0.0:8093->8093/tcp                                                                                                                                                                                                              gitlab-runner2

config.toml 放在 /srv/gitlab-runner/config/config.toml 中（来自 gitlab-docs，我添加了以下配置（来自 gitlab-docs）：

[session_server]
  listen_address = "[::]:8093"
  advertise_address = "localhost:8093"
  session_timeout = 1800

官方文档声明 advertise_address 不是必需的，它会回退到 listen_address。尽管如此，我在这里阅读了有关该主题的几个问题，这 需要 是外部 IP/主机名，其中可以访问运行程序。就我而言，它们不需要任何外部 IP，因为它们在同一台机器上运行。尽管如此，我也用我的静态服务器 IP 和我自己托管的 gitlab 的域尝试了它，但没有成功。

Gitlab 在 Apache 代理之后运行。 Gitlab-docs 没有提供大量有关如何为交互式终端配置代理的信息。

我当前用于 gitlab 的 Apache-config 如下所示（gitlab 在端口 7777 上运行）：

<VirtualHost *:443>
    ServerName git.example.com
    ProxyPreserveHost On
    ProxyRequests     Off
    RewriteEngine on
    SSLProxyEngine On
    AllowEncodedSlashes NoDecode
    <Location />
        ProxyPass http://localhost:7777/ nocanon
        ProxyPassReverse https://git.example.com/
        ProxyPassReverse http://localhost:7777/
        Require all granted
    </Location>
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule .* "wss:/localhost:7777/$1" [P,L]
    ProxyPass "*/terminal.ws" "wss://localhost:7777/"
    <Location */terminal.ws>
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteCond %{HTTP:Connection} upgrade [NC]
        RewriteRule ^/?(.*) "wss://localhost:7777/$1" [P,L]
     </Location>
</VirtualHost>
<VirtualHost *:443>
    ServerName pages.example.com
    ServerAlias *.pages.example.com
    ProxyPreserveHost On
    ProxyPass "/" "http://127.0.0.1:8090/"
    ProxyPassReverse "/" "http://127.0.0.1:8090/
    RewriteEngine on
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteRule .* http://127.0.0.1:8090%{REQUEST_URI} [P,QSA]
</VirtualHost>

以下是我在 gitlab.rb 文件中的相关更改：

Nginx[''listen_addresses''] = [''0.0.0.0'',"[::]"]
Nginx[''listen_port''] = 7777
Nginx[''listen_https''] = false
puma[''port''] = 8081
external_url ''https://git.example.com''
pages_external_url "http://pages.example.com/"
gitlab_pages[''enable''] = true
gitlab_pages[''listen_proxy''] = "localhost:8090"
gitlab_pages[''redirect_http''] = false
pages_Nginx[''enable''] = false

我也尝试将其添加到 gitlab.rb 中，但我认为这是默认配置：

Nginx[''proxy_set_headers''] = {
  "Host" => "$http_host_with_default","X-Real-IP" => "$remote_addr","X-Forwarded-For" => "$proxy_add_x_forwarded_for","X-Forwarded-Proto" => "https","X-Forwarded-Ssl" => "on","Upgrade" => "$http_upgrade","Connection" => "$connection_upgrade"
}

这是我想要使用的项目的 .gitlab/.gitlab-webide.yml：

terminal:
  image:
    name: python:latest
  script: sleep 60

我还尝试禁用防火墙 (ufw) 并允许端口 8093 上的连接但没有成功。

实际行为

Gitlab 页面运行良好，配置的运行器在管道中运行良好。 但是，当我单击运行作业或 Web 终端的“调试”选项时，出现连接错误：

terminal.js:47 WebSocket connection to ''wss://git.example.com/user/project/-/jobs/JOB_ID/terminal.ws'' Failed: Error during WebSocket handshake: Unexpected response code: 404

但 Web 终端的作业实际上正在运行（sleep 60 行运行，此后管道成功）。我可以在 https://git.example.com/user/project/-/jobs/JOB_ID 查看作业日志。

搜索了很多之后，我现在不知道如何继续 - 特别是因为我没有好的调试策略。

编辑

我尝试使用返回的 websocat wss://0.0.0.0:8094 连接服务器

websocat: WebSocket SSL error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify Failed:../ssl/statem/statem_clnt.c:1915: (self signed certificate)
websocat: error running

当我使用 websocat -t - ws-c:sh-c:''socat - ssl:0.0.0.0:8093,verify=0'' --ws-c-uri=wss://echo.websocket.org 忽略自签名证书（websocat 的一些解决方法）时，它返回与 WebIDE 中相同的错误：

websocat: WebSocketError: Received unexpected status code (404 Not Found)
websocat: error running

gitlab-runner 的日志表明服务器正在侦听 - 然后我想知道，为什么我在尝试连接时收到 404 响应。 docker logs gitlab-runner 返回：

All workers stopped. Can exit Now                   builds=0
Runtime platform                                    arch=amd64 os=linux pid=6 revision=775dd39d version=13.8.0
Starting multi-runner from /etc/gitlab-runner/config.toml...  builds=0
Running in system-mode.                            
                                                   
Configuration loaded                                builds=0
listen_address not defined,metrics & debug endpoints disabled  builds=0
Session server listening                            address=[::]:8093 builds=0

terminal.ws 的请求头是这样的：

Accept-Encoding: gzip,deflate,br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: Upgrade
Cookie: event_filter=all; sidebar_collapsed=false; diff_whitespace=0; collapsed_gutter=true; hide_auto_devops_implicitly_enabled_banner_10=false; hide_auto_devops_implicitly_enabled_banner_28=false; diff_view=inline; hide_auto_devops_implicitly_enabled_banner_9=false; pipeline_schedules_callout_dismissed=true; _ga=*; _fbp=*; _gid=*; __stripe_mid=*; kNown_sign_in=*; _gitlab_session=*
Host: git.example.com
Origin: https://git.example.com 
Pragma: no-cache
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Key: *
Sec-WebSocket-Protocol: terminal.gitlab.com
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/88.0.4324.150 Safari/537.36 OPR/74.0.3911.107

预期行为

终端应该在浏览器或任何日志文件中的任何输出中可见。

使用 GitLab Runner 版本

Version:      13.8.0
Git revision: 775dd39d
Git branch:   13-8-stable
GO version:   go1.13.8
Built:        2021-01-20T13:32:47+0000
OS/Arch:      linux/amd64

相关主题：

• This issue
• Web terminals / session server on gitlab.com with self-hosted runner on gke
• Gitlab-runner Interactive Web Terminals not connected
• gitlab-org/gitlab-runner#3884
• gitlab-org/gitlab-runner#3713
• gitlab-org/gitlab#202213

Apache2 代理背后的 Symfony 5.3 有意外行为浏览器中 ProxyPass/ProxyPassReverse 的 URL 不正确 我希望设置做什么：现实生活中会发生什么：我想要什么让事情变得更糟问题附加信息

如何解决Apache2 代理背后的 Symfony 5.3 有意外行为浏览器中 ProxyPass/ProxyPassReverse 的 URL 不正确 我希望设置做什么：现实生活中会发生什么：我想要什么让事情变得更糟问题附加信息

我想在 Apache 反向代理后面运行一个 Symfony 5.3 应用程序，但它没有按预期工作

我在 Apache 反向代理后面有很多 web 项目 Apache 服务器，没有任何问题，但这个让我不服:-/

场景：

我希望设置做什么：

现实生活中会发生什么：

我想要什么

浏览器：嘿，我将凭据发布到 /app1/login
代理：呃，等一下..必须是/login - 否则服务器不知道
服务器：哟，/login好像不错，去/success，哦，加载/this/css.file
代理： Err，稍等一下.. 必须是 /app1/success aa 和 /app1/this/css.file - 否则浏览器会感到困惑
浏览器：是的，我无法进入 /app1/success
浏览器：哇，/app1/this/css.file 中的设计多好

大家开心！

让事情变得更糟

• 我只有网络/服务器的权力，而不是 Symfony 应用程序本身
• 因此，我无法更改应用程序代码/配置本身，我只需要“托管”这个东西

我已经阅读（字面意思）数百篇关于这个/类似问题的 Stack 帖子。

我已阅读“所有”有关 Apache、ModProxy、Symfony 的文档，并在 Google 上花了几天时间。

我现在运行的希望很低，而且我的大脑很痛。

问题

• 你需要什么额外信息来解决我的问题
• 到底是什么 -（可能很明显隐藏在显眼的地方）我错过了一些配置？
• 即使解决方案将在 Symfony 应用程序内部并且维护者必须修复它（

附加信息

服务器安装：

• Ubuntu 20.04
• Apache 2.4
• PHP 7.4 (FPM)

服务器/应用配置：

• vHost 代理服务器（相关部分）

ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
ProxyTimeout 1200
ProxyReceiveBufferSize 4096
<VirtualHost *:80>
ProxyPass /app1/ http://192.168.1.1/
ProxyPassReverse /app1/ http://192.168.1.1/
</VirtualHost>

• vHost App-Server（相关部分）

<VirtualHost *:80>
        DocumentRoot /var/www/public
        <Directory /var/www/public>
                AllowOverride All
        </Directory>
</VirtualHost>

• htaccess 应用服务器（重写部分）

    # Determine the RewriteBase automatically and set it as environment variable.
    # If you are using Apache aliases to do mass virtual hosting or installed the
    # project in a subdirectory,the base path will be prepended to allow proper
    # resolution of the index.PHP file and to redirect to the correct URI. It will
    # work in environments without path prefix as well,providing a safe,one-size
    # fits all solution. But as you do not need it in this case,you can comment
    # the following 2 lines to eliminate the overhead.
    RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\\2$
    RewriteRule .* - [E=BASE:%1]
    # Sets the HTTP_AUTHORIZATION header removed by Apache
    RewriteCond %{HTTP:Authorization} .+
    RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]
    # Redirect to URI without front controller to prevent duplicate content
    # (with and without `/index.PHP`). Only do this redirect on the initial
    # rewrite by Apache and not on subsequent cycles. Otherwise we would get an
    # endless redirect loop (request -> rewrite to front controller ->
    # redirect -> request -> ...).
    # So in case you get a "too many redirects" error or you always get redirected
    # to the start page because your Apache does not expose the REDIRECT_STATUS
    # environment variable,you have 2 choices:
    # - disable this feature by commenting the following 2 lines or
    # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
    #   following RewriteCond (best solution)
    RewriteCond %{ENV:REDIRECT_STATUS} =""
    RewriteRule ^index\\.PHP(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
    # If the requested filename exists,simply serve it.
    # We only want to let Apache serve files and not directories.
    # Rewrite all other queries to the front controller.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ %{ENV:BASE}/index.PHP [L]

解决方法

<VirtualHost *:80>
    ProxyPass /app1/ http://192.168.1.1/
    ProxyPassReverse /app1/ http://192.168.1.1/
</VirtualHost>

<VirtualHost *:80>
    ProxyPass /app1/ http://192.168.1.1/app1/
    ProxyPassReverse /app1/ http://192.168.1.1/app1/
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot /var/www/public
    <Directory /var/www/public>
            AllowOverride All
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot /var/www/public
    Alias /app1 /var/www/public
    <Directory /var/www/public>
            AllowOverride All
    </Directory>
</VirtualHost>

// directory where compiled assets will be stored
.setOutputPath(''public/build/'')
// public path used by the web server to access the output path
.setPublicPath(''/build'')
// only needed for CDN''s or sub-directory deploy
//.setManifestKeyPrefix(''build/'')

// directory where compiled assets will be stored
.setOutputPath(''public/build/'')
// public path used by the web server to access the output path
.setPublicPath(''/app1/build'')
// only needed for CDN''s or sub-directory deploy
.setManifestKeyPrefix(''build/'')

关于nginx 代理背后的 Wordpress 生成不正确的链接和nginx部署wordpress的问题我们已经讲解完毕，感谢您的阅读，如果还想了解更多关于12.13 Nginx 防盗链 12.14 Nginx 访问控制 12.15 Nginx 解析 php 相关配置 12.16 Nginx 代理、6 月 11 日任务 Nginx 防盗链、Nginx 访问控制、Nginx 解析 php 相关配置、Nginx 代理、Apache 代理背后的 Gitlab-runner 交互式网络终端 编辑使用 GitLab Runner 版本、Apache2 代理背后的 Symfony 5.3 有意外行为浏览器中 ProxyPass/ProxyPassReverse 的 URL 不正确 我希望设置做什么：现实生活中会发生什么：我想要什么让事情变得更糟问题附加信息等相关内容，可以在本站寻找。