Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to open the https of the whole station with the help of CDN and how to solve the problem. the article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Ever since Baidu recommended https, it has always wanted bloggers to keep up with this pace. Unfortunately, all the free CDN in China do not support https. Therefore, in order to open https, it is necessary to expose the real ip of the website. According to the rhythm of the blog being attacked, it is estimated that there will be no Ansheng days as soon as it is exposed!

On an occasional whim, Baidu launched a CDN that supports https and opened a QSecreta of Tencent Cloud:

1.3 does CDN support https?

Https is currently in the invitation testing stage. Applications are not available yet. Please understand. We are improving this feature, once the product is mature, we will announce it as soon as possible, please look forward to it.

1. Http origin-pull

Tencent Cloud CDN defaults to http origin-pull, so there is a problem: since we want to https the entire site and do not want to have http, it is necessary to transfer the http request 301 to https. At this time, Tencent Cloud requests the origin server through http, and the request is 301! This is also the reason why the blog comes to 502 from time to time the other day. Most of the requests for support for 301 are not perfect.

At the beginning, I was unable to set the origin-pull mode on my own, but fortunately, I released a new version soon after I used it, which supports origin-pull selection. Properly selected https back-to-origin. Then I didn't force https for static files, so I chose http back-to-origin for static files to slightly optimize the load.

II. Official account of Wechat

After setting up as above, I found a new problem. Wechat fans gave me feedback, and the official account can't reply automatically!

Check, the original is because the official account only supports http mode token request, so the official account of Wechat http request is also the result of 301, resulting in automatic reply failure!

It seems that it will not work to jump all to https. After testing for a long time, it is finally done with the following nginx rules:

Server {listen 80; server_name zhangge.net; root/ home/wwwroot/zhangge.net; location / {# if it is a post request, it will be handed over to index.php, thus supporting the Wechat official account to automatically reply to if ($request_method = POST) {rewrite ^ / (. *) $/ index.php?$1 last; break } # if it is a Get request, then 301 to the https site if ($request_method = GET) {rewrite (. *) https://zhangge.net$1 permanent;} # any other request, all 301 to the https site, this is the complement rewrite (. *) https://zhangge.net$1 permanent } # php dynamic request to php-cgi location ~ [^ /]\ .php (/ | $) {try_files $uri = 404; fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi.conf;}} III. Http is cached

Although CDN's cache support for 301 is not good, it does not mean that 301 cannot be cached! Therefore, Tencent Cloud CDN occasionally caches the http results of the website, resulting in the invalidation of the forced jump https! The result is that even if you visit the http page, it will not jump automatically.

At present, Tencent Cloud does not support setting a forced https jump directly on the node, so there is no way to add the following js code to the header of the web page to solve this problem:

If _ (document.location.protocol! = "https:") {location.href = location.href.replace (/ ^ http:/, "https:");} four. All kinds of jumps

After https, I found that the outer chain of the previous article automatically jumped out of the problem, and the inner chain in the article was also regarded as the outer chain! And my own link in the comments became a jump.

After taking a look, it turns out that the previous function is not compatible with https, so I changed it and got it.

/ / outside the article chain jump support httpsadd_filter ('the_content','link_jump',999); function link_jump ($content) {preg_match_all (' / /', $content,$matches) If ($matches) {foreach ($matches [2] as $val) {if (strpos ($val,'://')! = = false & & strpos ($val,COOKIE_DOMAIN) = false & &! preg_match ('/\. (jpg | jepg | png | ico | bmp | tiff) / iFei Magi Val) & &! preg_match ('/ (ed2k | thunder | Flashget | flashget | qqdl | qqbrowser):\ /\ / / iPremium Art Val)) {$content=str_replace ("href=\" $val\ ") "href=\" https://zhangge.net/go/?url=$val\", $content) } return $content;} / / commentator Link Jump support httpsfunction commentauthor_diy ($comment_ID = 0) {$url = get_comment_author_url ($comment_ID); $author = get_comment_author ($comment_ID); if (empty ($url) | | 'http://' = = $url) {echo $author } else {if (! preg_match ('/ http (s |):\ /\ / zhangge\ .net / iPrecipient author)) {echo "$author";} else {echo "$author";}} five. External resources

As we all know, if you want a site-wide https, there can be no non-https resources on all pages, otherwise the browser will intercept the content and display an exclamation point!

So a lot of questions come face to face:

1. Baidu sharing does not support https

In the end, I solved this problem with the most difficult method, that is, download all the js in Baidu sharing code and other js/css resources that have been requested by js to the local (which resources will be requested, which I obtained in browser developer mode), and modify the links to local, thus accomplishing most of the functions of Baidu sharing.

For example, sharing to Qzone, Weibo and Wechat shows that the QR code is done, but there is nothing I can do about the "more" choice:

Finally, I upload the modified file to Qiniu CDN, which supports https, so those who need it can modify Baidu's sharing link as follows:

Window._bd_share_config= {"common": {"bdSnsKey": {}, "bdText": "," bdMini ":" 2 "," bdMiniList ": false," bdPic ":"," bdStyle ":" 1 "," bdSize ":" 16 "}," share ": {" bdSize ": 16}} With (document) 0 [(getElementsByTagName ('head') [0] | | body) .appendChild (createElement (' script')) .src = 'https://dn-zgboke.qbox.me/static/bdshare.js?v=89860593.js?cdnversion='+~(-new Date () / 36e5)]

To put it bluntly, just modify the js in the previous Baidu sharing code to the js provided by me:

Https://dn-zgboke.qbox.me/static/bdshare.js

After this solution, the browser https will be green and will not have a yellow exclamation point, but if you click share, you will still request a non-https Baidu to share the api. At this time, there will be a yellow exclamation point. I am afraid there is nothing I can do, but it will not affect the use.

The above is what the editor shares with the help of CDN to open the site-wide https and how to solve the problem. if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.