Forcing channel https doesn't work on Amazon AWS #2946
Comments
|
We could add a note and link it to the Configuring Header Names section. |
|
Symfony does not check My guess is that you haven't added the load balancer to the list of trusted proxies. |
|
Hi stof, that's correct. Not sure how to add that as a trusted proxy in the context of channel force https. |
I doubt there is any special context @ArlingtonHouse , did you solve this problem? please close it if so |
|
I have used Symfony in AWS in different projects and all issues with https have been related to what @stof says, basically you need to add the ELB to the list of trusted proxies. The easiest way to do that if you use AWS or any similar cloud environment is to add this to the front controller: Beware that the IPs in the ELB may change in cloud environments but also that you are basically allowing anyone to fake this behaviour if there is direct network access to the boxes. So, please ensure that you cannot curl the servers directly but only via the ELB in front. @cordoval @wouterj @stof do you think this should be added to http://symfony.com/doc/current/components/http_foundation/trusting_proxies.html#configuring-header-names ? |
|
@ricardclau I've just taken your idea and created a new entry in #4102 :). |
…rk (weaverryan) This PR was merged into the 2.3 branch. Discussion ---------- Adding a new entry about reverse proxies in the framework Hi guys! | Q | A | ------------- | --- | Doc fix? | no | New docs? | no | Applies to | all (or 2.3+) | Fixed tickets | #2946 #2491 Per #2491, I wanted to answer the simple question: "What do I need to do in order to configure Symfony if I have a reverse proxy". The `trusted_proxies` is already documented in the reference section, but this is a full walk-through of what you should be doing and why. I've also increased links in several places where notes are needed. Thanks! Commits ------- 5ab6c4a Title case fix thanks to @xabbuh! 89e4d9d A bunch of changes thanks to @xabbuh and @stof 81053ab Fixing build error c55bc2e Adding another note about how AppCache is a reverse proxy at the IP address 127.0.0.1 18af4e8 Adding a new entry about reverse proxies in the framework and linking to it in many places
|
We've just merged an article that talks much more directly about working with Symfony from behind a reverse proxy. Thanks for the report! |
Regarding: symfony-docs / cookbook / security / force_https.rst
The default proxy header that Symfony2 looks for from load balancers or proxies is $_SERVER['X_FORWARDED_PROTO']. However there is no standard for this and Amazon load balancers provide $_SERVER['HTTP_X_FORWARDED_PROTO'] . As a result, $request->isSecure() returns as http, even when force https is set, and there is an endless redirect loop. I'm not sure how to override the default values but the cookbook should make a note about this gotcha.
The text was updated successfully, but these errors were encountered: