Improved https recognition behind load balancer #221
Conversation
|
Thank you. Can you add a test to |
|
I had to modify port tests too. I know that I should not change existing tests, but thanks to this comment 4d8a1fc, I'm not sure if tests were ok in the first place? |
|
Altering tests is probably ok, but it would be nice if @grongor could take a look at it. |
|
Sorry, I haven't been working with PHP for some time now... |
|
@grongor I get it, but you remember how it works, right? |
|
I did some overview of variables, I'm missing Apache because we are not using it.
So I can add tests to cover these possibilities? |
|
You definitely cannot read X-Forwarded- header without checking they come from trusted proxy. Isn't this all already handled by the |
|
@janfejtek thanks for the PR, but the truth is I don't understand this. So I can't answer you, and I can't even merge it. I just need to get it approved by someone who understands and who I know. Or I can research it, but unfortunately the average wait time for solving issue can be over a year. |
|
@JanTvrdik Thank you, you were right with the @dg do you think now it would be possible? The actual issue is that there is no port in |
|
That's much better, but still wrong.
The corrent way to fix this (imho) is to use default port based on schema, when explicit port is missing in the private function useForwardedProxy(Url $url, &$remoteAddr, &$remoteHost): void
{
$forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);
foreach ($forwardParams as $forwardParam) {
[$key, $value] = explode('=', $forwardParam, 2) + [1 => ''];
$proxyParams[strtolower(trim($key))][] = trim($value, " \t\"");
}
if (isset($proxyParams['for'])) {
$address = $proxyParams['for'][0];
$remoteAddr = str_contains($address, '[')
? substr($address, 1, strpos($address, ']') - 1) // IPv6
: explode(':', $address)[0]; // IPv4
}
if (isset($proxyParams['proto']) && count($proxyParams['proto']) === 1) {
$url->setScheme(strcasecmp($proxyParams['proto'][0], 'https') === 0 ? 'https' : 'http');
$url->setPort($url->getScheme() === 'https' ? 443 : 80);
}
if (isset($proxyParams['host']) && count($proxyParams['host']) === 1) {
$host = $proxyParams['host'][0];
$startingDelimiterPosition = strpos($host, '[');
if ($startingDelimiterPosition === false) { //IPv4
$remoteHostArr = explode(':', $host);
$remoteHost = $remoteHostArr[0];
$url->setHost($remoteHost);
if (isset($remoteHostArr[1])) {
$url->setPort((int) $remoteHostArr[1]);
}
} else { //IPv6
$endingDelimiterPosition = strpos($host, ']');
$remoteHost = substr($host, strpos($host, '[') + 1, $endingDelimiterPosition - 1);
$url->setHost($remoteHost);
$remoteHostArr = explode(':', substr($host, $endingDelimiterPosition));
if (isset($remoteHostArr[1])) {
$url->setPort((int) $remoteHostArr[1]);
}
}
}
} |
|
@dg now the fix looks good to me |
|
Thanks! |
When server is behind reverse proxy/load balancer, checking of HTTPS variable is not enough