混合 Content/Insecure 内容 SSL
Mixed Content/Insecure Content SSL
我目前遇到以下问题
Mixed Content: The page at 'https://www.example.com/' was loaded over HTTPS, but requested an insecure stylesheet
这是安装了 httpd 的 Centos 服务器上的 Wordpress 网站。
我在 `http.conf:
中设置了以下虚拟主机
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www/html/example
ServerName www.example.com
ServerAlias example.com
SSLEngine on
SSLCACertificateFile /etc/httpd/conf/ssl.crt/intermediate.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
在我的 httpd.conf 中,我已将 AllowOverride 更改为全部,所以它看起来像这样:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
我可以确认 htaccess 正在工作,因为我正在使用 iTheme 安全插件,并且它按预期工作,如果我在 htacces 中输入一些垃圾,我会收到服务器配置错误错误预期。
我已将仪表板中的两个 Wordpress URL 更改为使用 https 而不是 http。
完成所有这些后,我就可以通过 HTTP 访问该站点,被重定向到该站点的 HTTPS 版本并查看该站点。但是,在控制台中,我收到有关混合内容的错误,挂锁盾显示为黄色或红色交叉,而不是所需的绿色。
有几个文件是个问题,我知道例如我可以手动更改 URL 以使用 https 而不是 http。据我了解,我可以将 URL 更改为以下内容,这只会将 link 调整为当前使用的协议:
<img src="//www.example.com/image.jpg" />
我还看到,如果资源在 https 上不可用,我可以简单地执行以下操作:
https://example.com/imageserver?url=http://otherdomain.com/someimage.jpg&hash=abcdeafad
然而,我正在尝试找到一种使用 htaccess 一次性解决所有这些问题的方法(我确信我以前做过,但我的代码片段对我不起作用)。
我使用了两个主要的片段来试图强制所有内容超过 https,第一个是:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
#These Lines to force HTTPS
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/ [NC,R=301,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
第二个来自 Dave Walsh:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/ [R,L]
但是,似乎都没有解决我的问题。作为预防措施,我在每次更改后都重新启动了 httpd 服务,即使是 htaccess 不需要重新启动的更改,但情况仍然如此。谁能指出我正确的方向?
最简单的解决方案是使用下面的解决方案手动替换所有链接,这将节省您的时间并且非常简单。
我们的想法是删除所有(协议 HTTP 和 HTTPS)并让它们使用相对协议 URL https://whosebug.com/a/15146073/3599237
我们可以使用下面的代码为 index.php
<?php
//this lined added here
ob_start();
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
//and these lines also
$output = ob_get_contents();
ob_end_clean();
$output = str_replace(array("https://", "http://"), "//", $output);
echo str_replace('http:\/\/', "\/\/", $output);
更新:您可以简单地使用内容安全策略
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests
directive instructs user agents to treat all of a site's insecure URLs
(those served over HTTP) as though they have been replaced with secure
URLs (those served over HTTPS). This directive is intended for web
sites with large numbers of insecure legacy URLs that need to be
rewritten.
The upgrade-insecure-requests directive is evaluated before
block-all-mixed-content and if it is set, the latter is effectively a
no-op. It is recommended to set either directive, but not both, unless
you want to force HTTPS on older browsers that do not force it after a
redirect to HTTP.
将下行放入 header 部分(header.php 文件)。
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
我目前遇到以下问题
Mixed Content: The page at 'https://www.example.com/' was loaded over HTTPS, but requested an insecure stylesheet
这是安装了 httpd 的 Centos 服务器上的 Wordpress 网站。
我在 `http.conf:
中设置了以下虚拟主机NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www/html/example
ServerName www.example.com
ServerAlias example.com
SSLEngine on
SSLCACertificateFile /etc/httpd/conf/ssl.crt/intermediate.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
在我的 httpd.conf 中,我已将 AllowOverride 更改为全部,所以它看起来像这样:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
我可以确认 htaccess 正在工作,因为我正在使用 iTheme 安全插件,并且它按预期工作,如果我在 htacces 中输入一些垃圾,我会收到服务器配置错误错误预期。
我已将仪表板中的两个 Wordpress URL 更改为使用 https 而不是 http。
完成所有这些后,我就可以通过 HTTP 访问该站点,被重定向到该站点的 HTTPS 版本并查看该站点。但是,在控制台中,我收到有关混合内容的错误,挂锁盾显示为黄色或红色交叉,而不是所需的绿色。
有几个文件是个问题,我知道例如我可以手动更改 URL 以使用 https 而不是 http。据我了解,我可以将 URL 更改为以下内容,这只会将 link 调整为当前使用的协议:
<img src="//www.example.com/image.jpg" />
我还看到,如果资源在 https 上不可用,我可以简单地执行以下操作:
https://example.com/imageserver?url=http://otherdomain.com/someimage.jpg&hash=abcdeafad
然而,我正在尝试找到一种使用 htaccess 一次性解决所有这些问题的方法(我确信我以前做过,但我的代码片段对我不起作用)。
我使用了两个主要的片段来试图强制所有内容超过 https,第一个是:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
#These Lines to force HTTPS
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/ [NC,R=301,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
第二个来自 Dave Walsh:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/ [R,L]
但是,似乎都没有解决我的问题。作为预防措施,我在每次更改后都重新启动了 httpd 服务,即使是 htaccess 不需要重新启动的更改,但情况仍然如此。谁能指出我正确的方向?
最简单的解决方案是使用下面的解决方案手动替换所有链接,这将节省您的时间并且非常简单。
我们的想法是删除所有(协议 HTTP 和 HTTPS)并让它们使用相对协议 URL https://whosebug.com/a/15146073/3599237
我们可以使用下面的代码为 index.php
<?php
//this lined added here
ob_start();
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
//and these lines also
$output = ob_get_contents();
ob_end_clean();
$output = str_replace(array("https://", "http://"), "//", $output);
echo str_replace('http:\/\/', "\/\/", $output);
更新:您可以简单地使用内容安全策略
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP.
将下行放入 header 部分(header.php 文件)。
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">