CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to see whether a request has been made over HTTPS instead of plain HTTP.
I'm using nginx as a load balancer, behind which are the Apache application servers. Since the SSL connection terminates at the load balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned. I'd like to find a secure way to detect HTTPS on the app servers. So far, I've put this into my CakePHP configuration: https://gist.github.com/63b3746c384415110efe And then in the nginx configuration, I've used *proxy_set_header X-Forwarded-Proto https;* to add the flag to any requests between the load balancer and the back-end application servers. This works perfectly fine, but anyone making a direct request to the app servers could fool them into thinking they are browsing over SSL when they're not. I'm not sure whether this is a security risk (probably), but it doesn't seem like a good idea. The X-Forwarded-Proto HTTP request header seems like something of a standard solution to this problem, so I was going to submit a pull request with this included in the bootstrap.php or at various locations further up the stack where SSL is detected, but since this strikes at the core of the framework (URL routing etc.), I thought I'd open a conversation instead to see if it's been discussed already (I haven't found anything) and what might be done to keep it secure. One suggestion I've had is to use an array of whitelisted IPs from which the X-Forwarded-Proto header will be accepted (this would list the load balancer IPs). If that list is empty, CakePHP uses only the $_SERVER['HTTPS"] as it does now. If the list is populated, and a request comes from one of the IPs listed, then Cake will consider the X-Forwarded-Proto header too to determine whether URLs should be http or https. Thoughts? :) -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en.
