混合内容/不安全内容SSL [英] Mixed Content/Insecure Content SSL
问题描述
我当前遇到以下问题
Mixed Content: The page at 'https://www.example.com/' was loaded over HTTPS, but requested an insecure stylesheet
这是Centos上的Wordpress网站安装了 httpd 的服务器。
This is a Wordpress website on a Centos server with httpd installed.
我在`http.conf:
I have following virtual host setup in `http.conf:
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www/html/example
ServerName www.example.com
ServerAlias example.com
SSLEngine on
SSLCACertificateFile /etc/httpd/conf/ssl.crt/intermediate.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
在我的 httpd.conf 中, AllowOverride 全部,所以看起来像这样:
In my httpd.conf I have changed AllowOverride to all, so it looks like so:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
我可以确认 htaccess 的工作方式如下我正在使用iTheme安全插件,它可以按预期工作,如果在 htacces 中键入一些垃圾,也会收到服务器配置错误,如预期的那样。
I can confirm the htaccess is working as I am using iTheme security plugin and this is working as expected, also if I type some garbage in the htacces I get a server misconfiguration error as expected.
我已经更改了仪表板中的两个Wordpress URL,以使用 https 而不是 http 。
I have changed both the Wordpress URLs in the Dashboard to use https instead of http.
一旦完成所有这些操作,我就可以通过HTTP访问该站点,将其重定向到该站点的HTTPS版本并查看该站点。但是,在控制台中,我收到有关混合内容的错误,并且挂锁盾显示为黄色或红色,而不是所需的绿色。
Once all of this was done, I was able to access the site over HTTP, be redirected to the HTTPS version of the site and see the site. However in the console I receive the error regarding mixed content and the padlock shield appears as yellow or red crossed as opposed to the desired green.
其中有一些文件一个问题,例如,我知道我可以手动更改URL以使用 https 而不是 http 。据我了解,我可以使用将URL更改为以下内容,这将只是将链接调整为正在使用的当前协议:
There are a few files that are an issue and I know for example I can change the URLs manually to use https as opposed to http. As I understand it, I can use change the URL to the below and this will simply adjust the link to the current protocol in use:
<img src="//www.example.com/image.jpg" />
我还看到如果 https上没有资源可用我可以简单地执行以下操作:
I have also seen that if a resource is not available over https I can simply do the following:
https://example.com/imageserver?url=http://otherdomain.com/someimage.jpg&hash=abcdeafad
我正在尝试寻找一个使用 htaccess 一次性解决所有这些问题的方法(我确定以前已经做过,但是我的摘要对我不起作用)。
I am however, trying to find a way to fix all of these in one go using htaccess (something I am sure I have done before, but my snippets aren't working for me).
我使用了两个主要片段,试图将所有内容强制超过 https ,第一个是:
There are two main snippets I have used in an attempt to force everything over https, the first being:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
#These Lines to force HTTPS
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
第二个来自Dave Walsh:
The second is from Dave Walsh:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
但是,两者似乎都无法解决我的问题。为了预防起见,我每次更改后都重新启动了 httpd 服务,甚至不需要重新启动的 htaccess 更改也是如此。情况保持不变。有人可以指出我正确的方向吗?
However, neither seem to solve my issue. As a precaution I have restarted the httpd service after every change even htaccess changes which shouldn't require a restart, however the situation remains the same. Can anyone point me in the right direction?
推荐答案
最简单的解决方案是使用下面的解决方案手动替换所有链接,这样可以节省您的时间及其非常简单。
The simplest solution is to replace all links manually using this solution below will save your time and its very straight forward.
这个想法是删除所有(协议HTTP和HTTPS),并让它们使用协议相对URL https://stackoverflow.com/a/15146073/3599237
The idea is to remove all (protocol HTTP and HTTPS) and leave them to use protocol relative URL https://stackoverflow.com/a/15146073/3599237
我们可以使用以下代码用于 index.php
We can do this using the following code for index.php
<?php
//this lined added here
ob_start();
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
//and these lines also
$output = ob_get_contents();
ob_end_clean();
$output = str_replace(array("https://", "http://"), "//", $output);
echo str_replace('http:\/\/', "\/\/", $output);
更新:您只需使用内容安全策略
HTTP Content-Security-Policy(CSP)升级不安全请求
指令指示用户代理处理站点的所有不安全URL
(通过HTTP提供服务),就好像它们已被安全的
URL(通过HTTPS提供服务)所取代。该指令适用于具有大量不安全旧URL且需要重写
的Web
网站。
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
upgrade-insecure-requests指令在
块所有混合内容之前进行评估,如果已设置,则后者实际上是
禁止操作。建议设置任何一个指令,但不要同时设置两个指令,除非
想要在较旧的浏览器上强制使用HTTPS,而在
重定向到HTTP之后,该浏览器不强制使用HTTPS。
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP.
将以下行放入标题部分(header.php文件)。
Put below line into header section (header.php file).
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
For more information please read: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
这篇关于混合内容/不安全内容SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
