Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Craft redirects to load balancer on /admin panel. CSFR issue? #4495

Closed
Kotauror opened this issue Jul 7, 2019 · 3 comments

Comments

Projects
None yet
4 participants
@Kotauror
Copy link

commented Jul 7, 2019

Description

Recently I've added CloudFront for my Craft app and now I'm experiencing an unwanted redirect.

DNS points to my CF, CF has Elastic Load Balancer as an origin. The ELB is for EC2 instances on which runs my Craft application. ELB has a CNAME on my main domain, for certificate reasons. So the origins on CF is not ELB.aws.awsgenericnumber.com, but elb-cname.mydomain.com.

When I open most of my pages on the website, they work fine and are cached via CloudFront.
When I open either the /admin panel or any subpage that has a form (what makes me think it's a CSFR issue), I get redirected to the ELB domain.

I was able to prevent the redirection on the admin panel by setting the baseCpUrl to be of my domain, not ELB, but after this change I can't log in anymore (I used to be able to do it after the domain "switched" to ELB). I can't find a way to prevent the "switch" on the entries that have forms.

Do you have an idea what I can do to stay on the same domain and not get redirected to ELB?

Additional info

PHO version 7.1.27
Craft version Craft Pro 3.1.30
Yii version 2.0.19
Twig version 2.11.2

My general.php

<?php
/**
 * General Configuration
 *
 * All of your system's general configuration settings go in here. You can see a
 * list of the available settings in vendor/craftcms/cms/src/config/GeneralConfig.php.
 *
 * @see \craft\config\GeneralConfig
 */

return [
    // Global settings
    '*' => [
        // Default Week Start Day (0 = Sunday, 1 = Monday...)
        'defaultWeekStartDay' => 1,

        // Whether generated URLs should omit "index.php"
        'omitScriptNameInUrls' => true,

        // Control Panel trigger word
        'cpTrigger' => 'admin',

        // The secure key Craft will use for hashing and encrypting data
        'securityKey' => getenv('SECURITY_KEY'),

        // Whether to save the project config out to config/project.yaml
        // (see https://docs.craftcms.com/v3/project-config.html)
        'useProjectConfigFile' => false,

        'baseCpUrl' => getenv('BASE_CP_URL'),

        // Configuration from previous installation of Craft 2.7.8
        'overridePhpSessionLocation' => true,
        'requireMatchingUserAgentForSession' => false,
        'extraAllowedFileExtensions' => 'woff, woff2',
        'omitScriptNameInUrls' => true,
        'devMode' => false,
        'useCompressedJs' => true,
        'cacheDuration' => false,
        'cacheMethod' => 'file',
        'enableCsrfProtection' => true,
        'backupDbOnUpdate' => false,
        'staticRedirectDisplayLimit'  => 1000,
        'maxUploadFileSize' => 1000000000 // 1GB	
    ],

    // Dev environment settings
    'dev' => [
        // Dev Mode (see https://craftcms.com/guides/what-dev-mode-does)
        'devMode' => true,
    ],

    // Staging environment settings
    'staging' => [
        // Set this to `false` to prevent administrative changes from being made on staging
        'allowAdminChanges' => true,
    ],

    // Production environment settings
    'production' => [
        // Set this to `false` to prevent administrative changes from being made on production
        'allowAdminChanges' => true,
    ],
];
@angrybrad

This comment has been minimized.

Copy link
Member

commented Jul 8, 2019

SOP for this type of setup is to exclude all Control Panel requests from CF (or any other CDN). Any reason why you want it included?

@mattandrews

This comment has been minimized.

Copy link

commented Jul 9, 2019

Are you whitelisting the headers/cookies etc that Craft sets within CloudFront? If it's caching those things then you're likely to get caught out like this.

@Kotauror

This comment has been minimized.

Copy link
Author

commented Jul 15, 2019

Hello all!

Thank you @mattandrews , this is what I needed to do. I was whitelisting only Host, but needed to whitelist Origin and Referer as well.

Cheers!

@angrybrad angrybrad closed this Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.