magento ssl + 清漆

magento ssl + varnish

我想在我的 magento 商店上使用带有 varnish 的 SSL,使用 nginx 我做了一个到端口 80 的代理传递(varnish 听它)。

但是当我这样做时,ESI 块 returns 404。如果我绕过 varnish(将代理端口更改为 8080 用于 nginx)它会起作用。

清漆配置:

C{
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
#include <pthread.h>
    static pthread_mutex_t lrand_mutex = PTHREAD_MUTEX_INITIALIZER;
    void generate_uuid(char* buf) {
        pthread_mutex_lock(&lrand_mutex);
        long a = lrand48();
        long b = lrand48();
        long c = lrand48();
        long d = lrand48();
        pthread_mutex_unlock(&lrand_mutex);
        sprintf(buf, "frontend=%08lx%04lx%04lx%04lx%04lx%08lx",
                a,
                b & 0xffff,
                (b & ((long)0x0fff0000) >> 16) | 0x4000,
                (c & 0x0fff) | 0x8000,
                (c & (long)0xffff0000) >> 16,
                d
               );
        return;
    }
}C
import std;
backend default {
    .host = "127.0.0.1";
    .port = "8080";
    .first_byte_timeout = 600s;
    .between_bytes_timeout = 600s;
}
backend admin {
    .host = "127.0.0.1";
    .port = "8080";
    .first_byte_timeout = 21600s;
    .between_bytes_timeout = 21600s;
}
acl crawler_acl {
    "127.0.0.1";
}
acl debug_acl {
    "100.100.100.100";
}
acl purge {
    "localhost";
    "192.168.10.0"/24;
}
sub generate_session {
    if (req.url ~ ".*[&?]SID=([^&]+).*") {
        set req.http.X-Varnish-Faked-Session = regsub(
                req.url, ".*[&?]SID=([^&]+).*", "frontend=");
    } else {
        C{
            char uuid_buf [50];
            generate_uuid(uuid_buf);
            VRT_SetHdr(sp, HDR_REQ,
                    "0X-Varnish-Faked-Session:",
                    uuid_buf,
                    vrt_magic_string_end
                  );
        }C
    }
    if (req.http.Cookie) {
        std.collect(req.http.Cookie);
        set req.http.Cookie = req.http.X-Varnish-Faked-Session +
            "; " + req.http.Cookie;
    } else {
        set req.http.Cookie = req.http.X-Varnish-Faked-Session;
    }
}
sub generate_session_expires {
    C{
        time_t now = time(NULL);
        struct tm now_tm = *gmtime(&now);
        now_tm.tm_sec += 3600;
        mktime(&now_tm);
        char date_buf [50];
        strftime(date_buf, sizeof(date_buf)-1, "%a, %d-%b-%Y %H:%M:%S %Z", &now_tm);
        VRT_SetHdr(sp, HDR_RESP,
                "1X-Varnish-Cookie-Expires:",
                date_buf,
                vrt_magic_string_end
              );
    }C
}
sub vcl_recv {

    if (req.request == "PURGE") {
        if (!client.ip ~ purge) {
            error 405 "Not allowed.";
        }
        return (lookup);
    }
    if (req.restarts == 0) {
        if (req.http.X-Forwarded-For) {
            set req.http.X-Forwarded-For =
                req.http.X-Forwarded-For + ", " + client.ip;
        } else {
            set req.http.X-Forwarded-For = client.ip;
        }
    }
    if (!true || req.http.Authorization ||
            req.request !~ "^(GET|HEAD)$" ||
            req.http.Cookie ~ "varnish_bypass=1") {
        return (pipe);
    }
    set req.url = regsuball(req.url, "(.*)//+(.*)", "/");
    if (req.http.Accept-Encoding) {
        if (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } else if (req.http.Accept-Encoding ~ "deflate") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            unset req.http.Accept-Encoding;
        }
    }
    if (req.url ~ "^(/media/|/skin/|/js/|/)(?:(?:index|litespeed)\.php/)?") {
        set req.http.X-Turpentine-Secret-Handshake = "1";
        if (req.url ~ "^(/media/|/skin/|/js/|/)(?:(?:index|litespeed)\.php/)?(?:admin|compare)") {
            set req.backend = admin;
            return (pipe);
        }
        if (req.http.Cookie ~ "\bcurrency=") {
            set req.http.X-Varnish-Currency = regsub(
                    req.http.Cookie, ".*\bcurrency=([^;]*).*", "");
        }
        if (req.http.Cookie ~ "\bstore=") {
            set req.http.X-Varnish-Store = regsub(
                    req.http.Cookie, ".*\bstore=([^;]*).*", "");
        }
        if (req.url ~ "/turpentine/esi/get(?:Block|FormKey)/") {
            set req.http.X-Varnish-Esi-Method = regsub(
                    req.url, ".*/method/(\w+)/.*", "");
            set req.http.X-Varnish-Esi-Access = regsub(
                    req.url, ".*/access/(\w+)/.*", "");
            if (req.http.X-Varnish-Esi-Method == "esi" && req.esi_level == 0 &&
                    !(false || client.ip ~ debug_acl)) {
                error 403 "External ESI requests are not allowed";
            }
        }
        if (req.http.Cookie !~ "frontend=") {
            if (client.ip ~ crawler_acl ||
                    req.http.User-Agent ~ "^(?:ApacheBench/.*|.*Googlebot.*|JoeDog/.*Siege.*|magespeedtest\.com|Nexcessnet_Turpentine/.*)$") {
                set req.http.Cookie = "frontend=crawler-session";
            } else {
                call generate_session;
            }
        }
        if (true &&
                req.url ~ ".*\.(?:css|js|jpe?g|png|gif|ico|swf)(?=\?|&|$)") {
            unset req.http.Cookie;
            unset req.http.X-Varnish-Faked-Session;
            return (lookup);
        }
#       if (req.url ~ "(checkout|BackgroundTask)"){
#                        return (pass);
#                }
        if (req.url ~ "^(/media/|/skin/|/js/|/)(?:(?:index|litespeed)\.php/)?(?:admin|compare|varnish|Purchase|scripts)" ||
                req.url ~ "^/media/flux" || req.url ~ "^/media/catalog/btob/21/" || req.url ~ "/wp-(login|admin)" || req.url ~ "preview=true" ||
                req.url ~ "\?.*__from_store=") {
            return (pipe);
        }
        if (true &&
                req.url ~ "(?:[?&](?:__SID|XDEBUG_PROFILE)(?=[&=]|$))") {
            return (pass);
        }
        if (req.url ~ "[?&](utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=") {
            set req.url = regsuball(req.url, "(?:(\?)?|&)(?:utm_source|utm_medium|utm_campaign|gclid|cx|ie|cof|siteurl)=[^&]+", "");
            set req.url = regsuball(req.url, "(?:(\?)&|\?$)", "");
        }
        return (lookup);
    }
}
sub vcl_pipe {
    unset bereq.http.X-Turpentine-Secret-Handshake;
    set bereq.http.Connection = "close";
}
sub vcl_hash {
    hash_data(req.url);
    if (req.http.Host) {
        hash_data(req.http.Host);
    } else {
        hash_data(server.ip);
    }
    hash_data(req.http.Ssl-Offloaded);
    if (req.http.X-Normalized-User-Agent) {
        hash_data(req.http.X-Normalized-User-Agent);
    }
    if (req.http.Accept-Encoding) {
        hash_data(req.http.Accept-Encoding);
    }
    if (req.http.X-Varnish-Store || req.http.X-Varnish-Currency) {
        hash_data("s=" + req.http.X-Varnish-Store + "&c=" + req.http.X-Varnish-Currency);
    }
    if (req.http.X-Varnish-Esi-Access == "private" &&
            req.http.Cookie ~ "frontend=") {
        hash_data(regsub(req.http.Cookie, "^.*?frontend=([^;]*);*.*$", ""));
    }
    return (hash);
}
sub vcl_hit {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged.";
    }
}
sub vcl_miss {
    if (req.request == "PURGE") {
        purge;
        error 200 "Purged.";
    }
}
sub vcl_fetch {
    set req.grace = 15s;
    set beresp.http.X-Varnish-Host = req.http.host;
    set beresp.http.X-Varnish-URL = req.url;
    if (req.url ~ "^(/festival/media/|/festival/skin/|/festival/js/|/festival/|/media/|/skin/|/js/|/)(?:(?:index|litespeed)\.php/)?") {
        unset beresp.http.Vary;
        set beresp.do_gzip = true;
#       if (beresp.status != 200 && beresp.status != 404) {
        if (beresp.status != 200) {
            set beresp.ttl = 15s;
            return (hit_for_pass);
        } else {
            if (beresp.http.Set-Cookie) {
                set beresp.http.X-Varnish-Set-Cookie = beresp.http.Set-Cookie;
                unset beresp.http.Set-Cookie;
            }
            unset beresp.http.Cache-Control;
            unset beresp.http.Expires;
            unset beresp.http.Pragma;
            unset beresp.http.Cache;
            unset beresp.http.Age;
            if (beresp.http.X-Turpentine-Esi == "1") {
                set beresp.do_esi = true;
            }
            if (beresp.http.X-Turpentine-Cache == "0") {
                set beresp.ttl = 15s;
                return (hit_for_pass);
            } else {
                if (true &&
                        bereq.url ~ ".*\.(?:css|js|jpe?g|png|gif|ico|swf)(?=\?|&|$)") {
                    set beresp.ttl = 315360000s;
                    set beresp.http.Cache-Control = "max-age=315360000";
                } elseif (req.http.X-Varnish-Esi-Method) {
                    if (req.http.X-Varnish-Esi-Access == "private" &&
                            req.http.Cookie ~ "frontend=") {
                        set beresp.http.X-Varnish-Session = regsub(req.http.Cookie,
                                "^.*?frontend=([^;]*);*.*$", "");
                    }
                    if (req.http.X-Varnish-Esi-Method == "ajax" &&
                            req.http.X-Varnish-Esi-Access == "public") {
                        set beresp.http.Cache-Control = "max-age=" + regsub(
                                req.url, ".*/ttl/(\d+)/.*", "");
                    }
                    set beresp.ttl = std.duration(
                            regsub(
                                req.url, ".*/ttl/(\d+)/.*", "s"),
                            300s);
                    if (beresp.ttl == 0s) {
                        set beresp.ttl = 15s;
                        return (hit_for_pass);
                    }
                } else {
                    set beresp.ttl = 3600s;
                }
            }
        }
        return (deliver);
    }
}
sub vcl_deliver {
    if (req.http.X-Varnish-Faked-Session) {
        call generate_session_expires;
        set resp.http.Set-Cookie = req.http.X-Varnish-Faked-Session +
            "; expires=" + resp.http.X-Varnish-Cookie-Expires + "; path=/";
        if (req.http.Host) {
            set resp.http.Set-Cookie = resp.http.Set-Cookie +
                "; domain=" + regsub(req.http.Host, ":\d+$", "");
        }
        set resp.http.Set-Cookie = resp.http.Set-Cookie + "; httponly";
        unset resp.http.X-Varnish-Cookie-Expires;
    }
    if (req.http.X-Varnish-Esi-Method == "ajax" && req.http.X-Varnish-Esi-Access == "private") {
        set resp.http.Cache-Control = "no-cache";
    }
    if (false || client.ip ~ debug_acl) {
        set resp.http.X-Varnish-Hits = obj.hits;
        set resp.http.X-Varnish-Esi-Method = req.http.X-Varnish-Esi-Method;
        set resp.http.X-Varnish-Esi-Access = req.http.X-Varnish-Esi-Access;
        set resp.http.X-Varnish-Currency = req.http.X-Varnish-Currency;
        set resp.http.X-Varnish-Store = req.http.X-Varnish-Store;
    } else {
        unset resp.http.X-Varnish;
        unset resp.http.Via;
        unset resp.http.X-Powered-By;
        unset resp.http.Server;
        unset resp.http.X-Turpentine-Cache;
        unset resp.http.X-Turpentine-Esi;
        unset resp.http.X-Turpentine-Flush-Events;
        unset resp.http.X-Turpentine-Block;
        unset resp.http.X-Varnish-Session;
        unset resp.http.X-Varnish-Host;
        unset resp.http.X-Varnish-URL;
        unset resp.http.X-Varnish-Set-Cookie;
    }
}

Nginx 配置文件:

server{
    listen 443 ssl;
    server_name new.mywebsite.com;
    ssl_certificate /etc/nginx/ssl/bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/website.key;

    location /{
       proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;

    }
}
server {
    listen       8080;
    server_name  new.website.com;

    #charset koi8-r;
    access_log  /var/log/nginx/log/website.access.log  main;
    error_log /var/log/nginx/log/website.error.log;

    set $ua '';
    set $zget /zget;

    set $mzi /ZOOM_INDEX;
    set $code mywebsite;
    set $zoombase        /var/zoom/$code$ua;
    set $zoomuri         $zoombase$uri;
    set $zoomuriget      $zoomuri$zget;

    set $p 1;

    set $dir   $cookie_zoom_dir;
    set $limit $cookie_zoom_limit;
    set $mode  $cookie_zoom_mode;
    set $order $cookie_zoom_order;

    set $zoomg $zoomuriget;

    set $cat    "";
    set $price  "";

    if ($arg_p)     { set $p     $arg_p;      }
    if ($arg_dir)   { set $dir   $arg_dir;    }
    if ($arg_limit) { set $limit $arg_limit;  }
    if ($arg_mode)  { set $mode  $arg_mode;   }
    if ($arg_order) { set $order $arg_order;  }

    # Layered navigation will be appended in alphabetical order to the final string
    if ($arg_cat)   { set $cat   /cat/$arg_cat;   }
    if ($arg_price) { set $price /price/$arg_price; }

    set $control &dir=$dir&limit=$limit&mode=$mode&order=$order;

    # If there is no given toolbar state, look for symlink of the default state (at the given page)
    if ($control = "&dir=&limit=&mode=&order=") { set $zoomg $zoomg/p/$p; }

    # Otherwise, construct complete cache filename (this requires normalized URL for consistent hits)
    if ($zoomg = $zoomuriget) { set $zoomg $zoomg/p/$p/dir/$dir/limit/$limit/mode/$mode/order/$order$cat$price;  }

    # A fix to redirect the index page to the proper file
    if ($request_uri = /) { set $zoomuri $zoomuri$mzi;  }

    # Append the "ZOOM_INDEX" to the file category path
    set $zoomg $zoomg$mzi;

    # Now clean the filename of irregular characters
    if ($zoomg ~ (.*)/price/([0-9]+),([0-9]+)(.*)) { set $zoomg /price/%2C; }

    set $my_ssl "off";
    if ($http_x_forwarded_proto = "https"){
            set $my_ssl "on";
    }

    root /home/site/mywebsite;
    location / {
                index  index.html index.htm index.php;
                default_type text/html;
                try_files $zoomuri $zoomg $uri $uri/ @redirect;
    }
location @redirect {
                rewrite / /index.php;
        }

    location ~ \.php$ {
    if (!-e $request_filename) {
                        rewrite / /index.php last;
                }

    expires off;
    try_files $uri /index.php;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param HTTPS $my_ssl;
    fastcgi_param MAGE_RUN_CODE mywebsite;
    fastcgi_param MAGE_RUN_TYPE website;
    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
    }

}

将您的 vcl_backend_response(Varnish 4)或 vcl_fetch(Varnish 3)中的内容放入:

 if (beresp.http.content-type ~ "text") {
        set beresp.do_esi = true;
    }

我找到了解决方案,当使用 https 协议调用 esi 块 url 时,这是一个清漆错误。

我在 app/code/community/Nexcessnet/Turpentine/Model/Observer/Esi.php 中通过添加函数修复了 Nexcessnet 扩展(它在 magento 和 varnish 之间完成工作):

protected function _stripBaseUrl ($url) {
   $res = preg_replace("~^".Mage::getStoreConfig(Mage_Core_Model_Store::XML_PATH_SECURE_BASE_URL)."~", "/", $url);
    return $res?$res:$url;
}

并在 replaceFormKeyPlaceholder 中调用这个:

// $esiHelper->getFormKeyEsiUrl() ), #REPLACE THIS LINE
$this->_stripBaseUrl($esiHelper->getFormKeyEsiUrl()) ), #BY THIS LINE

并在 injectEsi 中:

//$esiUrl = Mage::getUrl( 'turpentine/esi/getBlock', $urlOptions ); #REPLACE THIS LINE
$esiUrl = $this->_stripBaseUrl(Mage::getUrl( 'turpentine/esi/getBlock', $urlOptions )); #BY THIS LINE

很有魅力!