Check X-Forwarded-Proto header in Environment::ssl #8691
Conversation
How can we trust this header? As far as I understand, it could be easily set from any browser? |
Do we need to trust the header? A bit of background: EDIT: Thank you for the quick reply, really appreciate it. |
The intention is correct but the bugfix is not. You have to make sure that this header is only accepted when the ip is trusted. So you need to check for |
Maybe the correct solution for you would be to set the SSL proxy config? |
Added a check for Edit: I created two if statements because |
That looks way better. Does that work for you? |
Yes, just tried it and it works 👍 |
Well done then. Thx for the PR. BTW, thanks to Symfony this would've worked out of the box in Contao 4. But imho this is a bugfix so approving to merge this into 3.5. |
Great 🎉 |
If How about this one? if (
isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
&& in_array($_SERVER['REMOTE_ADDR'], trimsplit(',', \Config::get('proxyServerIps')))
) {
return $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https';
}
return ($_SERVER['SSL_SESSION_ID'] || $_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1); |
@ausi You are right, yet however this is a rather exotic usecase to communicate via HTTP with an proxy that talks HTTPS internally. |
How does "having a proxy" tell us the header can be trusted? That would only be the case if such a header was removed by a proxy - which I doubt is the case.
There are only two suitable solutions to me:
1. we can agree that faking the protocol is no security risk, then the first implementation was enough.
2. only a manual override for the rare case is possible, e.g. by setting $_SERVER variable in initconfig.php
|
You are the one configuring the proxy which is why you trust it. |
I trust the proxy, but I don't know if I can trust the header.
|
@aschempp you can trust Btw. this ticket is related to #7542 where @leofeyer also provided a custom configuration for the |
No, because these are set by the webserver (Apache/Nginx) and not just forwarded from the browser. |
Symfony uses the |
Yes. @ausi's variant. |
I assume that I need to use |
Yes, we should map every method to the current request in contao 4 if possible. @discordier wanted to create a PR for this long ago... |
@Toflar I was asking because of your comment above:
|
Fixed in 40a0541. |
Ah, yeah if we map everything to the request, we can just use |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto