env() in lib/Cake/basics.php also checks the $_SERVER SCRIPT_URI (in addition to the $_SERVER HTTPS you are working off)
I put this in nginx conf to provide cake with a way to know about the scheme of the connection as it hits the nginx server: fastcgi_param SCRIPT_URI $scheme://$host$request_uri; maybe something like this would help mitigate the security issues you mention with forwarding a secure-looking header to a non-secure connection? it's just using a standard header and reporting the scheme as it is received. I haven't tested it on an nginx load balancer however - nginx is serving the site directly. I guess it would depend on how the SCRIPT_URI is passed from the LB to the Apache app servers. Curious to know what you find out. On Sunday, January 13, 2013 10:08:31 AM UTC-5, Aaron Pollock wrote: > > CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to > see whether a request has been made over HTTPS instead of plain HTTP. > > I'm using nginx as a load balancer, behind which are the Apache > application servers. Since the SSL connection terminates at the load > balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned. > > I'd like to find a secure way to detect HTTPS on the app servers. > > So far, I've put this into my CakePHP configuration: > https://gist.github.com/63b3746c384415110efe > > And then in the nginx configuration, I've used *proxy_set_header > X-Forwarded-Proto https;* to add the flag to any requests between the > load balancer and the back-end application servers. > > This works perfectly fine, but anyone making a direct request to the app > servers could fool them into thinking they are browsing over SSL when > they're not. I'm not sure whether this is a security risk (probably), but > it doesn't seem like a good idea. > > The X-Forwarded-Proto HTTP request header seems like something of a > standard solution to this problem, so I was going to submit a pull request > with this included in the bootstrap.php or at various locations further up > the stack where SSL is detected, but since this strikes at the core of the > framework (URL routing etc.), I thought I'd open a conversation instead to > see if it's been discussed already (I haven't found anything) and what > might be done to keep it secure. > > One suggestion I've had is to use an array of whitelisted IPs from which > the X-Forwarded-Proto header will be accepted (this would list the load > balancer IPs). If that list is empty, CakePHP uses only the > $_SERVER['HTTPS"] as it does now. If the list is populated, and a request > comes from one of the IPs listed, then Cake will consider the > X-Forwarded-Proto header too to determine whether URLs should be http or > https. > > Thoughts? :) > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en.
