Thanks. I'd previously used proxy_set_header and it worked fine. I was
mainly concerned about the security of using a header at all (hence the
advice received to accept requests only from the LBs) and I'd also love not
to have to put this into every app when X-Forwarded-Proto seems like
something of a standard solution to this problem (i.e. time for a CakePHP
feature request). Unless and until that, then the solution is:
- Use X-Forwarded-Proto from the nginx load balancers when making requests
to the app servers
- Restricting app server access to the IPs of the load balancers only
- Using a Request Detector to make the Request->is('ssl') work properly
- And overwriting the Controller->redirect() in the AppController to make
use of the X-Forwarded-Proto when deciding whether a redirect should be
over HTTPS
That all makes it pretty seamless to the rest of the application.
Thanks again,
Aaron
On Monday, January 14, 2013 10:21:58 PM UTC, ibejohn818 wrote:
>
> My assumption is that you wish to terminate SSL requests on your load
> balancer.
>
> In my setup, I use HAPROXY as my LB, and use NGINX to terminate my ssl
> requests.
>
> In your NGINX configuration that is binding port 443. you can have it set
> headers to proxy over to HAPROXY.
> IE:
>
> location / {
>
> proxy_pass http://127.0.0.1:80/;
> proxy_redirect off;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header SCHEME $scheme;
>
> }
>
> Scheme will pass in "https" or "http" ( IE: the request scheme )
>
> Then, in your HAPROXY configuration, you pass configure your clusters to
> "forwardfor" which will pass all the additional headers.
> IE:
> option forwardfor
>
> Your _SERVER array will now have the "scheme" parameter in it informing
> you of whether your request was terminated if present, and not terminated
> if the "scheme" parameter is missing.
>
>
>
>
>
> On Jan 14, 2013, at 12:51 PM, sophistry <[email protected] <javascript:>>
> wrote:
>
> see this old thread for more info about nginx config:
> https://groups.google.com/d/topic/cake-php/3b5fkhIrHs0/discussion
>
> basically nginx configuration has to be tweaked to give cake something
> similar to what apache provides. cake is looking for the scheme in the
> SCRIPT_URI to determine if the request is over SSL. nginx does not provide
> that by default so you have to construct it by putting the entry in a conf
> file.
>
> also, sounds like you should take the advice from the SO question about
> limiting access to the Apache app servers to only allow the LB's IPs to
> talk to them.
>
> let us know how it goes.
>
> On Monday, January 14, 2013 3:36:08 PM UTC-5, Aaron Pollock wrote:
>>
>> Thanks lbejohn818 and sophistry.
>>
>> You're pushing me outside my nginx knowledge here. Would those methods
>> also be open to spoofing by anyone who can directly send HTTP requests to
>> the server? The fastcgi_param, if that will work with multiple boxes, still
>> needs to get from load balancer to web server somehow in the HTTP request,
>> for example. (My direct nginx experience is limited, so I'm not sure.)
>>
>> I suppose anyone trying to spoof these solutions would need to know that
>> this is the method being used. Maybe a header with some sort of shared
>> secret sent only between the load balancers and the web servers would help
>> too, but it's security by obscurity.
>>
>> A Stack Overflow
>> question<http://stackoverflow.com/questions/14304516/how-can-i-securely-detect-ssl-in-cakephp-behind-an-nginx-reverse-proxy>I
>> started threw up a good answer, involving the IP whitelist I described
>> above and using CakePHP's Request Detector functionality. But, and it's a
>> big but, Cake's redirect() method doesn't use $this->request->is('ssl') to
>> decide whether its HTTP 302 redirects should be to HTTP or HTTPS URLs so it
>> always redirects to HTTP even when the Request Detector is in place. The
>> redirect() method ultimately drops down to the Cake Router, which uses
>> the FULL_BASE_URL constant to determine the protocol. That constant is
>> defined at a very low level, in the bootstrap.
>>
>> My end game is to get a solution which is handled seamlessly by
>> redirect() and it's looking more and more like it needs a core change to
>> achieve this.
>>
>>
>>
>>
>>
>> On Monday, January 14, 2013 7:15:52 PM UTC, ibejohn818 wrote:
>>>
>>> I use a setup with NGINX forwarding my port 443 traffic to HAPROXY.
>>>
>>> Have NGINX pass the scheme in the headers like so:
>>>
>>> nginx.conf
>>> proxy_set_header SCHEME $scheme;
>>>
>>> You will them be able to access this parameter in your $_SERVER array.
>>>
>>>
>>>
>>> On Jan 14, 2013, at 9:51 AM, sophistry <[email protected]> wrote:
>>>
>>> env() in lib/Cake/basics.php also checks the $_SERVER SCRIPT_URI (in
>>> addition to the $_SERVER HTTPS you are working off)
>>>
>>> I put this in nginx conf to provide cake with a way to know about the
>>> scheme of the connection as it hits the nginx server:
>>> fastcgi_param SCRIPT_URI $scheme://$host$request_uri;
>>>
>>> maybe something like this would help mitigate the security issues you
>>> mention with forwarding a secure-looking header to a non-secure connection?
>>> it's just using a standard header and reporting the scheme as it is
>>> received.
>>>
>>> I haven't tested it on an nginx load balancer however - nginx is serving
>>> the site directly. I guess it would depend on how the SCRIPT_URI is passed
>>> from the LB to the Apache app servers.
>>>
>>> Curious to know what you find out.
>>>
>>>
>>> On Sunday, January 13, 2013 10:08:31 AM UTC-5, Aaron Pollock wrote:
>>>>
>>>> CakePHP (all versions that I've seen) check against $_SERVER['HTTPS']
>>>> to see whether a request has been made over HTTPS instead of plain HTTP.
>>>>
>>>> I'm using nginx as a load balancer, behind which are the Apache
>>>> application servers. Since the SSL connection terminates at the load
>>>> balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned.
>>>>
>>>> I'd like to find a secure way to detect HTTPS on the app servers.
>>>>
>>>> So far, I've put this into my CakePHP configuration:
>>>> https://gist.github.com/63b3746c384415110efe
>>>>
>>>> And then in the nginx configuration, I've used *proxy_set_header
>>>> X-Forwarded-Proto https;* to add the flag to any requests between the
>>>> load balancer and the back-end application servers.
>>>>
>>>> This works perfectly fine, but anyone making a direct request to the
>>>> app servers could fool them into thinking they are browsing over SSL when
>>>> they're not. I'm not sure whether this is a security risk (probably), but
>>>> it doesn't seem like a good idea.
>>>>
>>>> The X-Forwarded-Proto HTTP request header seems like something of a
>>>> standard solution to this problem, so I was going to submit a pull request
>>>> with this included in the bootstrap.php or at various locations further up
>>>> the stack where SSL is detected, but since this strikes at the core of the
>>>> framework (URL routing etc.), I thought I'd open a conversation instead to
>>>> see if it's been discussed already (I haven't found anything) and what
>>>> might be done to keep it secure.
>>>>
>>>> One suggestion I've had is to use an array of whitelisted IPs from
>>>> which the X-Forwarded-Proto header will be accepted (this would list the
>>>> load balancer IPs). If that list is empty, CakePHP uses only the
>>>> $_SERVER['HTTPS"] as it does now. If the list is populated, and a request
>>>> comes from one of the IPs listed, then Cake will consider the
>>>> X-Forwarded-Proto header too to determine whether URLs should be http or
>>>> https.
>>>>
>>>> Thoughts? :)
>>>>
>>>
>>> --
>>> Like Us on FaceBook https://www.facebook.com/CakePHP
>>> Find us on Twitter http://twitter.com/CakePHP
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CakePHP" group.
>>> To post to this group, send email to [email protected].
>>> To unsubscribe from this group, send email to
>>> [email protected].
>>> Visit this group at http://groups.google.com/group/cake-php?hl=en.
>>>
>>>
>>>
>>>
>>>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to [email protected]<javascript:>
> .
> To unsubscribe from this group, send email to
> [email protected] <javascript:>.
> Visit this group at http://groups.google.com/group/cake-php?hl=en.
>
>
>
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/cake-php?hl=en.
