I put this in nginx conf to provide cake with a way to know about the scheme of the connection as it hits the nginx server:
fastcgi_param SCRIPT_URI $scheme://$host$request_uri;
maybe something like this would help mitigate the security issues you mention with forwarding a secure-looking header to a non-secure connection? it's just using a standard header and reporting the scheme as it is received.
I haven't tested it on an nginx load balancer however - nginx is serving the site directly. I guess it would depend on how the SCRIPT_URI is passed from the LB to the Apache app servers.
Curious to know what you find out.
On Sunday, January 13, 2013 10:08:31 AM UTC-5, Aaron Pollock wrote:
CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to see whether a request has been made over HTTPS instead of plain HTTP.I'm using nginx as a load balancer, behind which are the Apache application servers. Since the SSL connection terminates at the load balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned.I'd like to find a secure way to detect HTTPS on the app servers.So far, I've put this into my CakePHP configuration:And then in the nginx configuration, I've used proxy_set_header X-Forwarded-Proto https; to add the flag to any requests between the load balancer and the back-end application servers.This works perfectly fine, but anyone making a direct request to the app servers could fool them into thinking they are browsing over SSL when they're not. I'm not sure whether this is a security risk (probably), but it doesn't seem like a good idea.The X-Forwarded-Proto HTTP request header seems like something of a standard solution to this problem, so I was going to submit a pull request with this included in the bootstrap.php or at various locations further up the stack where SSL is detected, but since this strikes at the core of the framework (URL routing etc.), I thought I'd open a conversation instead to see if it's been discussed already (I haven't found anything) and what might be done to keep it secure.One suggestion I've had is to use an array of whitelisted IPs from which the X-Forwarded-Proto header will be accepted (this would list the load balancer IPs). If that list is empty, CakePHP uses only the $_SERVER['HTTPS"] as it does now. If the list is populated, and a request comes from one of the IPs listed, then Cake will consider the X-Forwarded-Proto header too to determine whether URLs should be http or https.Thoughts? :)
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
No comments:
Post a Comment