- Use X-Forwarded-Proto from the nginx load balancers when making requests to the app servers
- Restricting app server access to the IPs of the load balancers only
- Using a Request Detector to make the Request->is('ssl') work properly
- And overwriting the Controller->redirect() in the AppController to make use of the X-Forwarded-Proto when deciding whether a redirect should be over HTTPS
That all makes it pretty seamless to the rest of the application.
Thanks again,
Aaron
On Monday, January 14, 2013 10:21:58 PM UTC, ibejohn818 wrote:
My assumption is that you wish to terminate SSL requests on your load balancer.In my setup, I use HAPROXY as my LB, and use NGINX to terminate my ssl requests.In your NGINX configuration that is binding port 443. you can have it set headers to proxy over to HAPROXY.IE:location / {proxy_pass http://127.0.0.1:80/;proxy_redirect off;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header SCHEME $scheme;}Scheme will pass in "https" or "http" ( IE: the request scheme )Then, in your HAPROXY configuration, you pass configure your clusters to "forwardfor" which will pass all the additional headers.IE:option forwardforYour _SERVER array will now have the "scheme" parameter in it informing you of whether your request was terminated if present, and not terminated if the "scheme" parameter is missing.On Jan 14, 2013, at 12:51 PM, sophistry <phl...@gmail.com> wrote:see this old thread for more info about nginx config:basically nginx configuration has to be tweaked to give cake something similar to what apache provides. cake is looking for the scheme in the SCRIPT_URI to determine if the request is over SSL. nginx does not provide that by default so you have to construct it by putting the entry in a conf file.also, sounds like you should take the advice from the SO question about limiting access to the Apache app servers to only allow the LB's IPs to talk to them.let us know how it goes.
On Monday, January 14, 2013 3:36:08 PM UTC-5, Aaron Pollock wrote:Thanks lbejohn818 and sophistry.You're pushing me outside my nginx knowledge here. Would those methods also be open to spoofing by anyone who can directly send HTTP requests to the server? The fastcgi_param, if that will work with multiple boxes, still needs to get from load balancer to web server somehow in the HTTP request, for example. (My direct nginx experience is limited, so I'm not sure.)I suppose anyone trying to spoof these solutions would need to know that this is the method being used. Maybe a header with some sort of shared secret sent only between the load balancers and the web servers would help too, but it's security by obscurity.A Stack Overflow question I started threw up a good answer, involving the IP whitelist I described above and using CakePHP's Request Detector functionality. But, and it's a big but, Cake's redirect() method doesn't use $this->request->is('ssl') to decide whether its HTTP 302 redirects should be to HTTP or HTTPS URLs so it always redirects to HTTP even when the Request Detector is in place. The redirect() method ultimately drops down to the Cake Router, which uses the FULL_BASE_URL constant to determine the protocol. That constant is defined at a very low level, in the bootstrap.My end game is to get a solution which is handled seamlessly by redirect() and it's looking more and more like it needs a core change to achieve this.
On Monday, January 14, 2013 7:15:52 PM UTC, ibejohn818 wrote:I use a setup with NGINX forwarding my port 443 traffic to HAPROXY.Have NGINX pass the scheme in the headers like so:nginx.confproxy_set_header SCHEME $scheme;You will them be able to access this parameter in your $_SERVER array.On Jan 14, 2013, at 9:51 AM, sophistry <phl...@gmail.com> wrote:env() in lib/Cake/basics.php also checks the $_SERVER SCRIPT_URI (in addition to the $_SERVER HTTPS you are working off)I put this in nginx conf to provide cake with a way to know about the scheme of the connection as it hits the nginx server:fastcgi_param SCRIPT_URI $scheme://$host$request_uri;maybe something like this would help mitigate the security issues you mention with forwarding a secure-looking header to a non-secure connection? it's just using a standard header and reporting the scheme as it is received.I haven't tested it on an nginx load balancer however - nginx is serving the site directly. I guess it would depend on how the SCRIPT_URI is passed from the LB to the Apache app servers.Curious to know what you find out.
On Sunday, January 13, 2013 10:08:31 AM UTC-5, Aaron Pollock wrote:CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to see whether a request has been made over HTTPS instead of plain HTTP.I'm using nginx as a load balancer, behind which are the Apache application servers. Since the SSL connection terminates at the load balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned.I'd like to find a secure way to detect HTTPS on the app servers.So far, I've put this into my CakePHP configuration:And then in the nginx configuration, I've used proxy_set_header X-Forwarded-Proto https; to add the flag to any requests between the load balancer and the back-end application servers.This works perfectly fine, but anyone making a direct request to the app servers could fool them into thinking they are browsing over SSL when they're not. I'm not sure whether this is a security risk (probably), but it doesn't seem like a good idea.The X-Forwarded-Proto HTTP request header seems like something of a standard solution to this problem, so I was going to submit a pull request with this included in the bootstrap.php or at various locations further up the stack where SSL is detected, but since this strikes at the core of the framework (URL routing etc.), I thought I'd open a conversation instead to see if it's been discussed already (I haven't found anything) and what might be done to keep it secure.One suggestion I've had is to use an array of whitelisted IPs from which the X-Forwarded-Proto header will be accepted (this would list the load balancer IPs). If that list is empty, CakePHP uses only the $_SERVER['HTTPS"] as it does now. If the list is populated, and a request comes from one of the IPs listed, then Cake will consider the X-Forwarded-Proto header too to determine whether URLs should be http or https.Thoughts? :)--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake...@googlegroups.com.
To unsubscribe from this group, send email to cake-php+u...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en .
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake...@googlegroups.com.
To unsubscribe from this group, send email to cake-php+u...@googlegroups.com .
Visit this group at http://groups.google.com/group/cake-php?hl=en .
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
No comments:
Post a Comment