-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request HTTPS Detection #1861
Comments
IMO current behaviour is correct. Slim instance itself is accessed via $app->add(function($request, $response, $next) {
$scheme = $request->getHeader("X-Url-Scheme")[0];
$uri = $request->getUri()->withScheme($scheme);
$request = $request->withUri($uri);
return $next($request, $response);
}); However one should note that user settable headers are not really trustworthy. |
I don't quite understand what you mean by the Slim instance being accessed by The host is determined by two different environment keys in the next logic block, so I would propose a similar chained approach to determining the scheme. Adding more middleware is a bit overkill in my instance TBH (just used to make an HMAC hash, so I hacked a |
Browser makes request to Cloudflare proxy over https://www.cloudflare.com/ssl/ If you are using their Full SSL or Full SSL strict the traffic between Cloudflare proxy and your webserver will be over |
This is exactly the kind of thing that Middleware is for. One such middleware is rka-scheme-and-host-detection-middleware. |
@tuupola Thanks for the explanation. Excuse my ignorance with how the SSL proxy part works, my hosting is off of someone else's sub-domain, so I've never actually managed CF myself. @akrabat I agree it would be too much work for the core now that I have re-evaluated with the comments here. Thanks for the link, surprised I never came across that middleware while looking into this, very useful! I might just pull that into the project to make things nicer than my aforementioned |
I just ran into the same issue, hosting behind an ELB on Amazon. The problem with the middleware solution I see is that middleware runs much later so that until this point the application still generates http urls. IMHO it should be possible to add trusted headers directly to the environment, because this is not an edge case but a very common use case. PS: Just tried it with Middleware, but the problem remains that Slim\Http\Uri generates http urls, also when PSPS: I ended up writing a service provider (because I use php league container) and create the environment like this: $this->container->share('environment', function () {
$server = $_SERVER;
// fix the secure environment detection if behind an AWS ELB
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$server['HTTPS'] = 'on';
$server['SERVER_PROTOCOL'] = 'HTTP/2.0';
$server['REQUEST_SCHEME'] = 'https';
}
return new Environment($server);
}); Now for my application this is sufficient, because it is not accessible publicly and only though the aws elb, so I know those headers are 100% from the elb. Now the request object builds using the environment data and all urls taken from the request also have https even though slim runs "officially" under http on the instance. |
Same issue for me - I'm running php-fpm behind nginx, which is a fairly common setup these days, I'd say.
|
This caused a bit of headache for me when using HMAC authentication on the request URI. The Request object does not return the proper protocol on proxied SSL services such as CloudFlare, where the regular
$_SERVER['HTTPS']
is not present.On a CloudFlare host (and probably other proxy hosts) accessed via https,
$uri
is an incorrect scheme ("http://example.com"). It would be expected for$uri
to be "https://example.com".I have tracked this down to the following line at
\Slim\Http\Uri::createFromEnvironment()
.I believe a fallback should be implemented to account for proxied services that actually deliver this information in
$_SERVER['HTTP_X_FORWARDED_PROTO']
("https" or "http").I can certainly create a PR for this, but wasn't sure if since this is relating to a PSR7 compliant object, if the rabbit hole goes deeper than just this project.
*Edit
Did a bit of digging on StackOverflow, and it seems some Microsoft products may use
Front-End-Https: on
, and some reverse proxies may beX-Url-Scheme: https
.The text was updated successfully, but these errors were encountered: