github/dootask
1
0
Fork 0
mirror of https://github.com/kuaifan/dootask.git synced 2026-06-12 02:12:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(https): 协议识别下沉到 nginx,TrustProxies 只信 X-Forwarded-Proto

Browse Source 
- nginx 经 APP_SCHEME 环境变量(envsubst 模板)统一控制 X-Forwarded-Proto
- TrustProxies 信任内网代理但仅采信 X-Forwarded-Proto,防 Host 注入
- 移除 WebApi 中间件的硬编码强制 https
- getSchemeAndHost 优先用当前请求 scheme/host,保留非请求上下文兜底
- cmd https 切换后改用 compose up -d 重建 nginx 容器使 envsubst 生效

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
kuaifan 2026-06-06 01:52:38 +00:00
parent c03867304e
commit 20c3fa91fb
6 changed files with 49 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Http/Middleware/TrustProxies.php
View File

@ -10,14 +10,19 @@ class TrustProxies extends Middleware
/**
* The trusted proxies for this application.
*
* PHPSwoole只在内网被 nginx 访问,外部无法直连,故信任内网代理。
*
* @var array|string|null
*/
protected $proxies;
protected $proxies = '*';
/**
* The headers that should be used to detect proxies.
*
* 只采信 X-Forwarded-Protonginx 已用 $the_scheme 覆盖该头(值由 nginx 控制),
* 据此让 url() 实时跟随 httpshost/for 一律不信,避免 Host 注入与 IP 伪造。
*
* @var int
*/
protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB;
protected $headers = Request::HEADER_X_FORWARDED_PROTO;
}

8
app/Http/Middleware/WebApi.php
View File

@ -25,14 +25,6 @@ class WebApi
RequestContext::set('start_time', microtime(true));
RequestContext::set('header_language', $request->header('language'));
// 强制 https
$APP_SCHEME = env('APP_SCHEME', 'auto');
if (in_array(strtolower($APP_SCHEME), ['https', 'on', 'ssl', '1', 'true', 'yes'], true)) {
$request->server->set('HTTPS', 'on');
$request->headers->set('X-Forwarded-Proto', 'https');
$request->setTrustedProxies([$request->getClientIp()], $request::HEADER_X_FORWARDED_PROTO);
}
// 更新请求的基本URL
RequestContext::updateBaseUrl($request);

7
app/Module/Base.php
View File

@ -848,6 +848,13 @@ class Base
*/
public static function getSchemeAndHost()
{
// 优先用当前请求的协议+主机getScheme() 会经 TrustProxies 采信 X-Forwarded-Proto
// 从而正确识别 httpshost 取自 Host 头(不信 X-Forwarded-Host避免 Host 注入)
$request = request();
if ($request && $request->getHttpHost()) {
return $request->getSchemeAndHttpHost();
}
// 非请求上下文Task/命令行等)的兜底
$scheme = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
return $scheme.($_SERVER['HTTP_HOST'] ?? '');
}

2
cmd
View File

@ -882,7 +882,7 @@ case "$1" in
else
https_auto
fi
restart_php
$COMPOSE up -d
;;
"artisan")
shift 1

4
docker-compose.yml
View File

@ -42,8 +42,10 @@ services:
ports:
- "${APP_PORT}:80"
- "${APP_SSL_PORT:-0}:443"
environment:
APP_SCHEME: "${APP_SCHEME:-auto}"
volumes:
- ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf
- ./docker/nginx/default.conf:/etc/nginx/templates/default.conf.template
- ./:/var/www
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost/health"]

38
docker/nginx/default.conf
View File

@ -1,23 +1,47 @@
map $host $app_scheme_raw {
default "${APP_SCHEME}";
}
map $app_scheme_raw $force_https {
"https" 1;
"on" 1;
"ssl" 1;
"1" 1;
"true" 1;
"yes" 1;
default 0;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
"" close;
}
map $http_host $this_host {
"" $host;
"" $host;
default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
"" $this_host;
default $http_x_forwarded_host;
"" $this_host;
}
map $http_x_forwarded_proto $auto_scheme {
"" $scheme;
default $http_x_forwarded_proto;
}
map $force_https $the_scheme {
1 https;
default $auto_scheme;
}
upstream service {
server php:20000 weight=5 max_fails=3 fail_timeout=30s;
keepalive 16;
}
server {
listen 80;