New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CloudFlare Flexible SSL Support #592

Closed
TheoBearman opened this Issue Apr 19, 2015 · 35 comments

Comments

5 participants
@TheoBearman
Contributor

TheoBearman commented Apr 19, 2015

Good morning,

I have CloudFlare flexible SSL activated on my domain that is running my Cachet install. As you can see the flexible SSL appears to be running on the status page but the links to the login page for example from the footer is redirecting to the HTTP version.

I have tried uncommenting 'proxies' => '*', in the trusted proxy.php file to no effect.

Thanks in advance for any suggestions,

Theo.

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

You're on the L5 branch, right? Could you try pulling the latest version and see if it helps?

Member

jbrooksuk commented Apr 19, 2015

You're on the L5 branch, right? Could you try pulling the latest version and see if it helps?

@jbrooksuk jbrooksuk added the Bug label Apr 19, 2015

@0147500

This comment has been minimized.

Show comment
Hide comment
@0147500

0147500 Apr 19, 2015

I had this problem before. It's because with flexible SSL laravel doesn't see the connection is https, because the connection to the server is just http.

0147500 commented Apr 19, 2015

I had this problem before. It's because with flexible SSL laravel doesn't see the connection is https, because the connection to the server is just http.

@GrahamCampbell

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

GrahamCampbell Apr 19, 2015

Member

I had this problem before. It's because with flexible SSL laravel doesn't see the connection is https, because the connection to the server is just http.

That's what setting the trusted proxies correctly fixes.

Member

GrahamCampbell commented Apr 19, 2015

I had this problem before. It's because with flexible SSL laravel doesn't see the connection is https, because the connection to the server is just http.

That's what setting the trusted proxies correctly fixes.

@0147500

This comment has been minimized.

Show comment
Hide comment
@0147500

0147500 Apr 19, 2015

Aa okay :)

0147500 commented Apr 19, 2015

Aa okay :)

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

That's what setting the trusted proxies correctly fixes.

Should do... We've always had issues :) The L5 branch now registers the service provider for TrustedProxies, so it should actually work.

Member

jbrooksuk commented Apr 19, 2015

That's what setting the trusted proxies correctly fixes.

Should do... We've always had issues :) The L5 branch now registers the service provider for TrustedProxies, so it should actually work.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@jbrooksuk I've replaced the trustedproxy.php with this one and I am still getting the same problem. Is there another file I need to update? I don't want to pull the whole branch as I assume it will overwrite my current install.

Contributor

TheoBearman commented Apr 19, 2015

@jbrooksuk I've replaced the trustedproxy.php with this one and I am still getting the same problem. Is there another file I need to update? I don't want to pull the whole branch as I assume it will overwrite my current install.

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

@TheoBearman you will need to update to the latest commit on the L5 branch please.

Member

jbrooksuk commented Apr 19, 2015

@TheoBearman you will need to update to the latest commit on the L5 branch please.

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

What else have you changed then?

Member

jbrooksuk commented Apr 19, 2015

What else have you changed then?

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

You could stash the changes, pull down and pop them on again.

Member

jbrooksuk commented Apr 19, 2015

You could stash the changes, pull down and pop them on again.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@jbrooksuk If I update to the latest commit, will it overwrite my install?

Contributor

TheoBearman commented Apr 19, 2015

@jbrooksuk If I update to the latest commit, will it overwrite my install?

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

Stash your changes first.

Member

jbrooksuk commented Apr 19, 2015

Stash your changes first.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@jbrooksuk Decided to do a fresh install and now I have this issue...

dafv

Contributor

TheoBearman commented Apr 19, 2015

@jbrooksuk Decided to do a fresh install and now I have this issue...

dafv

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

Ah you're on Windows, so chmod is useless for you.

Member

jbrooksuk commented Apr 19, 2015

Ah you're on Windows, so chmod is useless for you.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

Yeah... workaround?

Contributor

TheoBearman commented Apr 19, 2015

Yeah... workaround?

@GrahamCampbell

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

GrahamCampbell Apr 19, 2015

Member

run composer with --no-scripts

Member

GrahamCampbell commented Apr 19, 2015

run composer with --no-scripts

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

There you go ;)

Member

jbrooksuk commented Apr 19, 2015

There you go ;)

@GrahamCampbell

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

GrahamCampbell Apr 19, 2015

Member

or just delete the chmod step from the composer.json

Member

GrahamCampbell commented Apr 19, 2015

or just delete the chmod step from the composer.json

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@GrahamCampbell What, so composer install --no-dev -o --no scripts?

Contributor

TheoBearman commented Apr 19, 2015

@GrahamCampbell What, so composer install --no-dev -o --no scripts?

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

composer install --no-dev -o --no-scripts.

Member

jbrooksuk commented Apr 19, 2015

composer install --no-dev -o --no-scripts.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@jbrooksuk Ok, well after all that. The HTTPS issue still hasn't resolved! See here.

Contributor

TheoBearman commented Apr 19, 2015

@jbrooksuk Ok, well after all that. The HTTPS issue still hasn't resolved! See here.

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

Ah. It's the really annoying url helpers. Pull down latest changes, the links are fixed.

Member

jbrooksuk commented Apr 19, 2015

Ah. It's the really annoying url helpers. Pull down latest changes, the links are fixed.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@jbrooksuk Pulled down the changes. Still nothing.

Contributor

TheoBearman commented Apr 19, 2015

@jbrooksuk Pulled down the changes. Still nothing.

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

It won't auto-detect for some reason, this has been the case for a long time :/ you'll need to go back to the status page and click the link, or just visit it directly. https://status.theobearman.com/auth/login

Member

jbrooksuk commented Apr 19, 2015

It won't auto-detect for some reason, this has been the case for a long time :/ you'll need to go back to the status page and click the link, or just visit it directly. https://status.theobearman.com/auth/login

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@jbrooksuk Ok. Hopefully you guys will find a fix. Thanks anyway!

Contributor

TheoBearman commented Apr 19, 2015

@jbrooksuk Ok. Hopefully you guys will find a fix. Thanks anyway!

@jbrooksuk

This comment has been minimized.

Show comment
Hide comment
@jbrooksuk

jbrooksuk Apr 19, 2015

Member

Yeah, me too. it's a right pain.

Member

jbrooksuk commented Apr 19, 2015

Yeah, me too. it's a right pain.

@lenovouser

This comment has been minimized.

Show comment
Hide comment
@lenovouser

lenovouser Apr 19, 2015

Contributor

@TheoBearman @jbrooksuk @GrahamCampbell you could just create your own certificate and enable "Full SSL" which then also sends a HTTPS request to your server who also has to listen for SSL. So you'd have to disable port 80 and enable port 433 with this here in the server block:

###
# LISTENERS
###

listen 443 ssl spdy;
listen [::]:443 ssl spdy;

###
# SSL
###

ssl_certificate /etc/nginx/ssl/your.crt;
ssl_certificate_key /etc/nginx/ssl/your.key;

and this in your nginx.conf:

###
# CLOUDFLARE IP
###

set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
real_ip_header CF-Connecting-IP;

###
# SECURE SSL PROTOCOLS
###

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

###
# FORWARD SECRECY
###

sll_session_cache         shared:SSL:10m;
ssl_session_timeout       10m;
ssl_prefer_server_ciphers on;
ssl_ciphers               'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
ssl_buffer_size           1400;
Contributor

lenovouser commented Apr 19, 2015

@TheoBearman @jbrooksuk @GrahamCampbell you could just create your own certificate and enable "Full SSL" which then also sends a HTTPS request to your server who also has to listen for SSL. So you'd have to disable port 80 and enable port 433 with this here in the server block:

###
# LISTENERS
###

listen 443 ssl spdy;
listen [::]:443 ssl spdy;

###
# SSL
###

ssl_certificate /etc/nginx/ssl/your.crt;
ssl_certificate_key /etc/nginx/ssl/your.key;

and this in your nginx.conf:

###
# CLOUDFLARE IP
###

set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
real_ip_header CF-Connecting-IP;

###
# SECURE SSL PROTOCOLS
###

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

###
# FORWARD SECRECY
###

sll_session_cache         shared:SSL:10m;
ssl_session_timeout       10m;
ssl_prefer_server_ciphers on;
ssl_ciphers               'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
ssl_buffer_size           1400;
@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman Apr 19, 2015

Contributor

@ApfelUser I'm on windows server. XAMPP not NGINX.

Contributor

TheoBearman commented Apr 19, 2015

@ApfelUser I'm on windows server. XAMPP not NGINX.

@lenovouser

This comment has been minimized.

Show comment
Hide comment
@lenovouser

lenovouser Apr 19, 2015

Contributor

Well, I don't know how XAMPP works, but you probably can enable SSL on XAMPP too. And there is also a NGINX version for Windows.

Contributor

lenovouser commented Apr 19, 2015

Well, I don't know how XAMPP works, but you probably can enable SSL on XAMPP too. And there is also a NGINX version for Windows.

@lenovouser

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

GrahamCampbell Apr 19, 2015

Member

Quite honestly, this issue is totally unrelated to cachet.

Member

GrahamCampbell commented Apr 19, 2015

Quite honestly, this issue is totally unrelated to cachet.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman May 11, 2015

Contributor

Just in case anyone else is having this problem, I finally found a fix.

# Copy and paste into an .htaccess file (within your Cachet install directory) or include in your apache conf files

RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"' [OR]
RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

# And remember to always use https for future requests
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Contributor

TheoBearman commented May 11, 2015

Just in case anyone else is having this problem, I finally found a fix.

# Copy and paste into an .htaccess file (within your Cachet install directory) or include in your apache conf files

RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"' [OR]
RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

# And remember to always use https for future requests
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
@GrahamCampbell

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

GrahamCampbell May 11, 2015

Member

Just in case anyone else is having this problem, I finally found a fix.

This is not a proper fix. The correct fix is to set the trusted proxies.

Member

GrahamCampbell commented May 11, 2015

Just in case anyone else is having this problem, I finally found a fix.

This is not a proper fix. The correct fix is to set the trusted proxies.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman May 11, 2015

Contributor

@GrahamCampbell How is this not 'proper' ?

Contributor

TheoBearman commented May 11, 2015

@GrahamCampbell How is this not 'proper' ?

@GrahamCampbell

This comment has been minimized.

Show comment
Hide comment
@GrahamCampbell

GrahamCampbell May 11, 2015

Member

Anyone can sent a pretend CF-Visitor header in their requests. For this case, the security implications are minimal, but for other things, they could be more major, so hacks like this should not be encouraged.

Member

GrahamCampbell commented May 11, 2015

Anyone can sent a pretend CF-Visitor header in their requests. For this case, the security implications are minimal, but for other things, they could be more major, so hacks like this should not be encouraged.

@TheoBearman

This comment has been minimized.

Show comment
Hide comment
@TheoBearman

TheoBearman May 11, 2015

Contributor

@GrahamCampbell Well, seeing as the TrustedProxies fix did not work for me, this is the only working fix for me as it stands.

Contributor

TheoBearman commented May 11, 2015

@GrahamCampbell Well, seeing as the TrustedProxies fix did not work for me, this is the only working fix for me as it stands.

@GrahamCampbell GrahamCampbell added this to the V1.0.0 milestone Jul 25, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment