Skip to content

SubRequestHandler uses incorrect scheme if using external SSL Termination #28225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
siosphere opened this issue Aug 19, 2018 · 3 comments
Closed

SubRequestHandler uses incorrect scheme if using external SSL Termination #28225

siosphere opened this issue Aug 19, 2018 · 3 comments

Comments

@siosphere
Copy link

siosphere commented Aug 19, 2018
edited
Loading

Symfony version(s) affected: 2.8.44

Description
Symfony properly determines the schema from the Forwarded header for the main request, but when using fragments, it strips the forwarded header and then rebuilds it. Because it was stripped, $request->getScheme() returns http as the forwarded header is now missing.

How to reproduce
Setup symfony/apache with SSL termination handled separately (such as with HAProxy). When this happens, X-Forwarded-Proto is passed with "https", but the $_SERVER['HTTPS'] is not set to on (since apache isn't handling the SSL termination).
Create a fragment using {{render(controller('SomeController::someAction'))}}
In the fragment controller $request->isSecure() will return false, however in the main action of the controller $request->isSecure() will return true.

Possible Solution
Mitigation is to have apache set HTTPS=on if the X-Forwarded-Proto = https:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
The better solution would be to load the scheme before stripping the forwarded header when rebuilding the trusted headers in SubRequestHandler
@nicolas-grekas
Copy link
Member

Can you please check if this isn't fixed already in branch 2.8?

@jmartinsnexity jmartinsnexity mentioned this issue Aug 21, 2018
Closed
@nicolas-grekas nicolas-grekas mentioned this issue Aug 22, 2018
Merged
@nicolas-grekas
Copy link
Member

Please confirm #28241 fixes your issue.

@siosphere
Copy link
Author

It looks like it fixes it, I am unable to reproduce with those fixes applied.

nicolas-grekas added a commit that referenced this issue Aug 24, 2018
@nicolas-grekas
bug #28241 [HttpKernel] fix forwarding trusted headers as server para…
2554ad0 
…meters (nicolas-grekas)

This PR was merged into the 2.8 branch.

Discussion
----------

[HttpKernel] fix forwarding trusted headers as server parameters

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #28233, #28226, #28225, #28240
| License       | MIT
| Doc PR        | -

Commits
-------

9295348 [HttpKernel] fix forwarding trusted headers as server parameters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nicolas-grekas @siosphere