I use a setup with NGINX forwarding my port 443 traffic to HAPROXY. Have NGINX pass the scheme in the headers like so:
nginx.conf proxy_set_header SCHEME $scheme; You will them be able to access this parameter in your $_SERVER array. On Jan 14, 2013, at 9:51 AM, sophistry <[email protected]> wrote: > env() in lib/Cake/basics.php also checks the $_SERVER SCRIPT_URI (in addition > to the $_SERVER HTTPS you are working off) > > I put this in nginx conf to provide cake with a way to know about the scheme > of the connection as it hits the nginx server: > fastcgi_param SCRIPT_URI $scheme://$host$request_uri; > > maybe something like this would help mitigate the security issues you mention > with forwarding a secure-looking header to a non-secure connection? it's just > using a standard header and reporting the scheme as it is received. > > I haven't tested it on an nginx load balancer however - nginx is serving the > site directly. I guess it would depend on how the SCRIPT_URI is passed from > the LB to the Apache app servers. > > Curious to know what you find out. > > > On Sunday, January 13, 2013 10:08:31 AM UTC-5, Aaron Pollock wrote: > CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to see > whether a request has been made over HTTPS instead of plain HTTP. > > I'm using nginx as a load balancer, behind which are the Apache application > servers. Since the SSL connection terminates at the load balancer, > $_SERVER['HTTPS'] is not set as far as CakePHP is concerned. > > I'd like to find a secure way to detect HTTPS on the app servers. > > So far, I've put this into my CakePHP configuration: > https://gist.github.com/63b3746c384415110efe > > And then in the nginx configuration, I've used proxy_set_header > X-Forwarded-Proto https; to add the flag to any requests between the load > balancer and the back-end application servers. > > This works perfectly fine, but anyone making a direct request to the app > servers could fool them into thinking they are browsing over SSL when they're > not. I'm not sure whether this is a security risk (probably), but it doesn't > seem like a good idea. > > The X-Forwarded-Proto HTTP request header seems like something of a standard > solution to this problem, so I was going to submit a pull request with this > included in the bootstrap.php or at various locations further up the stack > where SSL is detected, but since this strikes at the core of the framework > (URL routing etc.), I thought I'd open a conversation instead to see if it's > been discussed already (I haven't found anything) and what might be done to > keep it secure. > > One suggestion I've had is to use an array of whitelisted IPs from which the > X-Forwarded-Proto header will be accepted (this would list the load balancer > IPs). If that list is empty, CakePHP uses only the $_SERVER['HTTPS"] as it > does now. If the list is populated, and a request comes from one of the IPs > listed, then Cake will consider the X-Forwarded-Proto header too to determine > whether URLs should be http or https. > > Thoughts? :) > > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/cake-php?hl=en. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en.
