mirror of
https://github.com/kuaifan/dootask.git
synced 2026-06-22 23:32:11 +00:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
20c3fa91fb |
@ -10,14 +10,19 @@ class TrustProxies extends Middleware
|
|||||||
/**
|
/**
|
||||||
* The trusted proxies for this application.
|
* The trusted proxies for this application.
|
||||||
*
|
*
|
||||||
|
* PHP(Swoole)只在内网被 nginx 访问,外部无法直连,故信任内网代理。
|
||||||
|
*
|
||||||
* @var array|string|null
|
* @var array|string|null
|
||||||
*/
|
*/
|
||||||
protected $proxies;
|
protected $proxies = '*';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The headers that should be used to detect proxies.
|
* The headers that should be used to detect proxies.
|
||||||
*
|
*
|
||||||
|
* 只采信 X-Forwarded-Proto:nginx 已用 $the_scheme 覆盖该头(值由 nginx 控制),
|
||||||
|
* 据此让 url() 实时跟随 https;host/for 一律不信,避免 Host 注入与 IP 伪造。
|
||||||
|
*
|
||||||
* @var int
|
* @var int
|
||||||
*/
|
*/
|
||||||
protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_AWS_ELB;
|
protected $headers = Request::HEADER_X_FORWARDED_PROTO;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -25,14 +25,6 @@ class WebApi
|
|||||||
RequestContext::set('start_time', microtime(true));
|
RequestContext::set('start_time', microtime(true));
|
||||||
RequestContext::set('header_language', $request->header('language'));
|
RequestContext::set('header_language', $request->header('language'));
|
||||||
|
|
||||||
// 强制 https
|
|
||||||
$APP_SCHEME = env('APP_SCHEME', 'auto');
|
|
||||||
if (in_array(strtolower($APP_SCHEME), ['https', 'on', 'ssl', '1', 'true', 'yes'], true)) {
|
|
||||||
$request->server->set('HTTPS', 'on');
|
|
||||||
$request->headers->set('X-Forwarded-Proto', 'https');
|
|
||||||
$request->setTrustedProxies([$request->getClientIp()], $request::HEADER_X_FORWARDED_PROTO);
|
|
||||||
}
|
|
||||||
|
|
||||||
// 更新请求的基本URL
|
// 更新请求的基本URL
|
||||||
RequestContext::updateBaseUrl($request);
|
RequestContext::updateBaseUrl($request);
|
||||||
|
|
||||||
|
|||||||
@ -848,6 +848,13 @@ class Base
|
|||||||
*/
|
*/
|
||||||
public static function getSchemeAndHost()
|
public static function getSchemeAndHost()
|
||||||
{
|
{
|
||||||
|
// 优先用当前请求的协议+主机:getScheme() 会经 TrustProxies 采信 X-Forwarded-Proto,
|
||||||
|
// 从而正确识别 https;host 取自 Host 头(不信 X-Forwarded-Host,避免 Host 注入)
|
||||||
|
$request = request();
|
||||||
|
if ($request && $request->getHttpHost()) {
|
||||||
|
return $request->getSchemeAndHttpHost();
|
||||||
|
}
|
||||||
|
// 非请求上下文(Task/命令行等)的兜底
|
||||||
$scheme = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
|
$scheme = isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443' ? 'https://' : 'http://';
|
||||||
return $scheme.($_SERVER['HTTP_HOST'] ?? '');
|
return $scheme.($_SERVER['HTTP_HOST'] ?? '');
|
||||||
}
|
}
|
||||||
|
|||||||
2
cmd
2
cmd
@ -882,7 +882,7 @@ case "$1" in
|
|||||||
else
|
else
|
||||||
https_auto
|
https_auto
|
||||||
fi
|
fi
|
||||||
restart_php
|
$COMPOSE up -d
|
||||||
;;
|
;;
|
||||||
"artisan")
|
"artisan")
|
||||||
shift 1
|
shift 1
|
||||||
|
|||||||
@ -42,8 +42,10 @@ services:
|
|||||||
ports:
|
ports:
|
||||||
- "${APP_PORT}:80"
|
- "${APP_PORT}:80"
|
||||||
- "${APP_SSL_PORT:-0}:443"
|
- "${APP_SSL_PORT:-0}:443"
|
||||||
|
environment:
|
||||||
|
APP_SCHEME: "${APP_SCHEME:-auto}"
|
||||||
volumes:
|
volumes:
|
||||||
- ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf
|
- ./docker/nginx/default.conf:/etc/nginx/templates/default.conf.template
|
||||||
- ./:/var/www
|
- ./:/var/www
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "curl", "-f", "http://localhost/health"]
|
test: ["CMD", "curl", "-f", "http://localhost/health"]
|
||||||
|
|||||||
@ -1,23 +1,47 @@
|
|||||||
|
map $host $app_scheme_raw {
|
||||||
|
default "${APP_SCHEME}";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $app_scheme_raw $force_https {
|
||||||
|
"https" 1;
|
||||||
|
"on" 1;
|
||||||
|
"ssl" 1;
|
||||||
|
"1" 1;
|
||||||
|
"true" 1;
|
||||||
|
"yes" 1;
|
||||||
|
default 0;
|
||||||
|
}
|
||||||
|
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
"" close;
|
||||||
}
|
}
|
||||||
|
|
||||||
map $http_host $this_host {
|
map $http_host $this_host {
|
||||||
"" $host;
|
"" $host;
|
||||||
default $http_host;
|
default $http_host;
|
||||||
}
|
}
|
||||||
map $http_x_forwarded_proto $the_scheme {
|
|
||||||
default $http_x_forwarded_proto;
|
|
||||||
"" $scheme;
|
|
||||||
}
|
|
||||||
map $http_x_forwarded_host $the_host {
|
map $http_x_forwarded_host $the_host {
|
||||||
|
"" $this_host;
|
||||||
default $http_x_forwarded_host;
|
default $http_x_forwarded_host;
|
||||||
"" $this_host;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
map $http_x_forwarded_proto $auto_scheme {
|
||||||
|
"" $scheme;
|
||||||
|
default $http_x_forwarded_proto;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $force_https $the_scheme {
|
||||||
|
1 https;
|
||||||
|
default $auto_scheme;
|
||||||
|
}
|
||||||
|
|
||||||
upstream service {
|
upstream service {
|
||||||
server php:20000 weight=5 max_fails=3 fail_timeout=30s;
|
server php:20000 weight=5 max_fails=3 fail_timeout=30s;
|
||||||
keepalive 16;
|
keepalive 16;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user