app/Http/Middleware/TrustProxies.php

@@ -10,19 +10,14 @@ class TrustProxies extends Middleware
     /**
      * The trusted proxies for this application.
      *
-     * PHP（Swoole）只在内网被 nginx 访问，外部无法直连，故信任内网代理。
-     *
      * @var array|string|null
      */
-    protected $proxies = '*';
+    protected $proxies;
 
     /**
      * The headers that should be used to detect proxies.
      *
-     * 只采信 X-Forwarded-Proto：nginx 已用 $the_scheme 覆盖该头（值由 nginx 控制），
-     * 据此让 url() 实时跟随 https；host/for 一律不信，避免 Host 注入与 IP 伪造。
-     *
      * @var int
      */
-    protected $headers = Request::HEADER_X_FORWARDED_PROTO;
+    protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB;
 }

app/Http/Middleware/WebApi.php

@@ -25,6 +25,14 @@ class WebApi
         RequestContext::set('start_time', microtime(true));
         RequestContext::set('header_language', $request->header('language'));
 
+        // 强制 https
+        $APP_SCHEME = env('APP_SCHEME', 'auto');
+        if (in_array(strtolower($APP_SCHEME), ['https', 'on', 'ssl', '1', 'true', 'yes'], true)) {
+            $request->server->set('HTTPS', 'on');
+            $request->headers->set('X-Forwarded-Proto', 'https');
+            $request->setTrustedProxies([$request->getClientIp()], $request::HEADER_X_FORWARDED_PROTO);
+        }
+
         // 更新请求的基本URL
         RequestContext::updateBaseUrl($request);
 

app/Module/Base.php

@@ -848,13 +848,6 @@ class Base
      */
     public static function getSchemeAndHost()
     {
-        // 优先用当前请求的协议+主机：getScheme() 会经 TrustProxies 采信 X-Forwarded-Proto，
-        // 从而正确识别 https；host 取自 Host 头（不信 X-Forwarded-Host，避免 Host 注入）
-        $request = request();
-        if ($request && $request->getHttpHost()) {
-            return $request->getSchemeAndHttpHost();
-        }
-        // 非请求上下文（Task/命令行等）的兜底
         $scheme = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
         return $scheme.($_SERVER['HTTP_HOST'] ?? '');
     }

cmd

@@ -882,7 +882,7 @@ case "$1" in
         else
             https_auto
         fi
-        $COMPOSE up -d
+        restart_php
         ;;
     "artisan")
         shift 1

docker-compose.yml

@@ -42,10 +42,8 @@ services:
     ports:
       - "${APP_PORT}:80"
       - "${APP_SSL_PORT:-0}:443"
-    environment:
-      APP_SCHEME: "${APP_SCHEME:-auto}"
     volumes:
-      - ./docker/nginx/default.conf:/etc/nginx/templates/default.conf.template
+      - ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf
       - ./:/var/www
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost/health"]

docker/nginx/default.conf

@@ -1,47 +1,23 @@
-map $host $app_scheme_raw {
-    default "${APP_SCHEME}";
-}
-
-map $app_scheme_raw $force_https {
-    "https" 1; 
-    "on"    1; 
-    "ssl"   1; 
-    "1"     1; 
-    "true"  1; 
-    "yes"   1;
-    default 0;
-}
-
 map $http_upgrade $connection_upgrade {
     default upgrade;
-    ""      close;
+    ''      close;
 }
-
 map $http_host $this_host {
-    ""      $host;
+    "" $host;
     default $http_host;
 }
-
+map $http_x_forwarded_proto $the_scheme {
+     default $http_x_forwarded_proto;
+     "" $scheme;
+}
 map $http_x_forwarded_host $the_host {
-    ""      $this_host;
     default $http_x_forwarded_host;
+    "" $this_host;
 }
-
-map $http_x_forwarded_proto $auto_scheme {
-    ""      $scheme;
-    default $http_x_forwarded_proto;
-}
-
-map $force_https $the_scheme {
-    1       https;
-    default $auto_scheme;
-}
-
 upstream service {
     server php:20000 weight=5 max_fails=3 fail_timeout=30s;
     keepalive 16;
 }
-
 server {
     listen 80;