服务器和客户端(opnsense、haproxy、phpmyadmin)上指示的 HTTPS 不匹配

问题描述 投票:0回答:0

在堆栈和网上搜索了几个小时之后,我现在不知道如何解决我的问题了。

在我的带有 phpmyadmin v.5.0.4 的 debian 网络服务器上,我收到以下错误打开 URL https://companyname.de/phpmyadmin:

服务器和客户端上指示的 HTTPS 不匹配。 这可能会导致 phpMyAdmin 无法正常工作或存在安全风险。 请修复您的服务器配置以正确指示 HTTPS。

已通过 apt 安装 phpmyadmin。 没有更改 phpmyadmin .config 文件或 apache 相关文件中的任何内容。

Web 服务器在带有 HAProxy 的 OPNSense 后面。 HAProxy 正在处理所有 SSL letsencrypt 证书。

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 40s
    retries 3
    default-server init-addr last,libc

# Frontend: http_lan_wan (Public Service für interne und externe Anfragen über http)
frontend http_lan_wan
    bind 192.168.50.253:80 name 192.168.50.253:80 
    bind 192.168.50.252:80 name 192.168.50.252:80 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: find_acme_challenge
    acl acl_645774a9f09708.61820985 path_beg -i /.well-known/acme-challenge/
    # ACL: redirect-companyname-de
    acl acl_645a60be852259.29309390 hdr(host) -i companyname.de
    # ACL: www
    acl acl_64555b3fec64e0.30748614 hdr(host) -i www.companyname.de
    # ACL: not-ssl
    acl acl_64555c9187cd43.18700342 ssl_fc

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_645774a9f09708.61820985
    # ACTION: redirect_companyname_de
    http-request redirect code 301  location https://www.companyname.de if acl_645a60be852259.29309390
    # ACTION: webserver
    use_backend webserver_backend if acl_64555b3fec64e0.30748614
    # ACTION: hsts_strict
    # NOTE: actions with no ACLs/conditions will always match
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" 
    # ACTION: set_http_header_companyname_de
    http-request set-header X-Forwarded-Proto https if !acl_64555c9187cd43.18700342

# Frontend: https_lan_wan (Public Service für interne und externe Anfragen über https)
frontend https_lan_wan
    bind 192.168.50.253:443 name 192.168.50.253:443 ssl  crt-list /tmp/haproxy/ssl/645558bec44376.40532547.certlist 
    bind 192.168.50.252:443 name 192.168.50.252:443 ssl  crt-list /tmp/haproxy/ssl/645558bec44376.40532547.certlist 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: redirect-companyname-de
    acl acl_645a60be852259.29309390 hdr(host) -i companyname.de
    # ACL: www
    acl acl_64555b3fec64e0.30748614 hdr(host) -i www.companyname.de
    # ACL: not-ssl
    acl acl_64555c9187cd43.18700342 ssl_fc

    # ACTION: redirect_companyname_de
    http-request redirect code 301  location https://www.companyname.de if acl_645a60be852259.29309390
    # ACTION: webserver
    use_backend webserver_backend if acl_64555b3fec64e0.30748614
    # ACTION: set_http_header_companyname_de
    http-request set-header X-Forwarded-Proto https if !acl_64555c9187cd43.18700342

# Frontend: https_lan (Public Service für ausschließlich interne Anfragen über https)
frontend https_lan
    bind 192.168.50.252:443 name 192.168.50.252:443 ssl  crt-list /tmp/haproxy/ssl/64555918cba291.18660693.certlist 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: www
    acl acl_64555b3fec64e0.30748614 hdr(host) -i www.companyname.de
    # ACL: not-ssl
    acl acl_64555c9187cd43.18700342 ssl_fc

    # ACTION: webserver
    use_backend webserver_backend if acl_64555b3fec64e0.30748614
    # ACTION: set_http_header_companyname_de
    http-request set-header X-Forwarded-Proto https if !acl_64555c9187cd43.18700342

# Backend: webserver_backend (Backend Pool für Apache/Wordpress)
backend webserver_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # ACL: not-ssl
    acl acl_64555c9187cd43.18700342 ssl_fc

    # ACTION: redirect_ssl
    http-request redirect scheme https code 301 if !acl_64555c9187cd43.18700342
    http-reuse safe
    server webserver_host 192.168.50.3:80 

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

    # ACTION: redirect_ssl
    http-request redirect scheme https code 301 if !acl_64555c9187cd43.18700342
    http-reuse safe
    server postfixadmin_host 192.168.50.4:80 

# statistics are DISABLED

你们知道我可以尝试什么吗?谢谢!

添加 X-Forwarded-Proto 就像这里提到的服务器和客户端上指示的 HTTPS 不匹配

apache phpmyadmin haproxy
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.