混合内容/不安全内容 SSL [英] Mixed Content/Insecure Content SSL
问题描述
我目前遇到以下问题
Mixed Content: The page at 'https://www.example.com/' was loaded over HTTPS, but requested an insecure stylesheet
这是安装了 httpd 的 Centos 服务器上的 Wordpress 网站.
This is a Wordpress website on a Centos server with httpd installed.
我在 `http.conf 中设置了以下虚拟主机:
I have following virtual host setup in `http.conf:
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www/html/example
ServerName www.example.com
ServerAlias example.com
SSLEngine on
SSLCACertificateFile /etc/httpd/conf/ssl.crt/intermediate.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
在我的 httpd.conf 中,我已经将 AllowOverride 更改为 all,所以它看起来像这样:
In my httpd.conf I have changed AllowOverride to all, so it looks like so:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
我可以确认 htaccess 正在工作,因为我正在使用 iTheme 安全插件,并且这按预期工作,如果我在 htaccess 中输入一些垃圾,我会得到一个预期的服务器配置错误.
I can confirm the htaccess is working as I am using iTheme security plugin and this is working as expected, also if I type some garbage in the htacces I get a server misconfiguration error as expected.
我已将仪表板中的两个 Wordpress URL 更改为使用 https 而不是 http.
I have changed both the Wordpress URLs in the Dashboard to use https instead of http.
完成所有这些后,我就可以通过 HTTP 访问该站点,重定向到该站点的 HTTPS 版本并查看该站点.但是,在控制台中,我收到有关混合内容的错误,并且挂锁盾牌显示为黄色或红色交叉,而不是所需的绿色.
Once all of this was done, I was able to access the site over HTTP, be redirected to the HTTPS version of the site and see the site. However in the console I receive the error regarding mixed content and the padlock shield appears as yellow or red crossed as opposed to the desired green.
有几个文件存在问题,例如我知道我可以手动更改 URL 以使用 https 而不是 http.据我了解,我可以使用将 URL 更改为以下内容,这只会将链接调整为当前使用的协议:
There are a few files that are an issue and I know for example I can change the URLs manually to use https as opposed to http. As I understand it, I can use change the URL to the below and this will simply adjust the link to the current protocol in use:
<img src="//www.example.com/image.jpg" />
我还看到,如果资源在 https 上不可用,我可以简单地执行以下操作:
I have also seen that if a resource is not available over https I can simply do the following:
https://example.com/imageserver?url=http://otherdomain.com/someimage.jpg&hash=abcdeafad
然而,我试图找到一种使用 htaccess 一次性解决所有这些问题的方法(我确信我以前做过,但我的代码段对我不起作用).
I am however, trying to find a way to fix all of these in one go using htaccess (something I am sure I have done before, but my snippets aren't working for me).
我使用了两个主要片段,试图将所有内容强制通过 https,第一个是:
There are two main snippets I have used in an attempt to force everything over https, the first being:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
#These Lines to force HTTPS
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
第二个来自 Dave Walsh:
The second is from Dave Walsh:
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
然而,两者似乎都没有解决我的问题.作为预防措施,我在每次更改后都重新启动了 httpd 服务,即使 htaccess 更改不需要重新启动,但情况保持不变.有人能指出我正确的方向吗?
However, neither seem to solve my issue. As a precaution I have restarted the httpd service after every change even htaccess changes which shouldn't require a restart, however the situation remains the same. Can anyone point me in the right direction?
推荐答案
最简单的解决方案是使用下面的此解决方案手动替换所有链接将节省您的时间并且非常简单.
The simplest solution is to replace all links manually using this solution below will save your time and its very straight forward.
这个想法是删除所有(协议 HTTP 和 HTTPS)并让它们使用协议相对 URL https://stackoverflow.com/a/15146073/3599237
The idea is to remove all (protocol HTTP and HTTPS) and leave them to use protocol relative URL https://stackoverflow.com/a/15146073/3599237
我们可以使用index.php
<?php
//this lined added here
ob_start();
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
//and these lines also
$output = ob_get_contents();
ob_end_clean();
$output = str_replace(array("https://", "http://"), "//", $output);
echo str_replace('http:\/\/', "\/\/", $output);
更新:您只需使用内容安全策略
HTTP 内容安全策略 (CSP) upgrade-insecure-requests指令指示用户代理处理站点的所有不安全 URL(那些通过 HTTP 提供服务的)就好像它们已被替换为安全的URL(通过 HTTPS 提供的那些).该指令适用于网络具有大量不安全旧 URL 的站点需要重写.
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
upgrade-insecure-requests 指令在评估之前block-all-mixed-content 并且如果它被设置,后者实际上是一个无操作.建议设置任一指令,但不要同时设置,除非您想在较旧的浏览器上强制使用 HTTPS,而这些浏览器在重定向到 HTTP.
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP.
将下面一行放入标题部分(header.php 文件).
Put below line into header section (header.php file).
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
For more information please read: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
这篇关于混合内容/不安全内容 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
