如何在负载均衡器(ssl_termination)后面使用Laravel 5配置SSL? [英] How do I configure SSL with Laravel 5 behind a load balancer (ssl_termination)?
问题描述
我有一个laravel 5项目部署到AWS EC2 Web实例,位于带有ssl终止功能的ELB后面.
I have a laravel 5 project deployed to AWS EC2 web instances, behind an ELB with ssl termination.
对于诸如资产之类的东西,Laravel默认使用当前使用的任何方案.但是,我注意到,由于ELB解密https流量并通过http转发到EC2节点,因此Laravel认为它当前未使用https,因此使用http作为资产.显然这会引起问题.
For things like assets, Laravel by default uses whatever scheme is currently used. However, I've noticed since the https traffic is decrypted by the ELB and forwarded to the EC2 nodes via http, Laravel does not think it's currently using https and thus uses http for assets. This is obviously causing problems.
根据我的发现,Laravel使用X_FORWARDED_PROTO标头检查这种代理设置.但是我发现此标头不存在,而是有一个HTTP_X_FORWARDED_PROTO标头.在对此进行了研究,我发现php之前是"HTTP_".如果是这样,那么Laravel为什么不检查它,因为它是纯PHP框架?
From what I've found, Laravel checks for this sort of proxy setup using the X_FORWARDED_PROTO header. However I've found this header doesn't exist and instead there is an HTTP_X_FORWARDED_PROTO header. In researching this, I've found that prepending "HTTP_" is something php does. If that's true, then why isn't Laravel checking for it, as it is a purely php framework?
我读过一些文章说要使用 Fideloper的受信任代理,但目前尚不清楚为什么Laravel默认情况下不检查这些标头.
I've read articles saying to use something like Fideloper's Trusted Proxies, yet it's unclear why Laravel doesn't check for these headers by default.
如何配置Laravel接受HTTP_X_FORWARDED_ *标头,或者将其配置为知道我当前的方案是https?
How can I configure Laravel to accept HTTP_X_FORWARDED_* headers, or otherwise configure it to know my current scheme is https?
推荐答案
Laravel默认不检查这些内容,因为可以将这些标头轻松地注入到请求中(即伪造的),从而在您的系统中创建理论上的攻击向量应用.恶意用户可以使Laravel认为请求是安全的,或者是不安全的,这反过来可能会导致某些威胁.
Laravel doesn't check for these by default because these headers can be trivially injected into a request (i.e. faked), and that creates a theoretical attack vector into your application. A malicious user can make Laravel think a request is, or is not secure, which in turn might lead to something being compromised.
几个月前我使用Laravel 4.2遇到相同的问题时,我的解决方案是创建一个自定义请求类,并告诉Laravel她使用它
When I ran into this same problem a few months back using Laravel 4.2, my solution was to create a custom request class and tell Laravel to use it her
#File: bootstrap/start.php
//for custom secure behavior -- laravel autoloader doesn't seem here yet?
require_once realpath(__DIR__) . 'path/to/my/MyCustomRequest.php';
Illuminate\Foundation\Application::requestClass('MyCustomRequest');
然后在MyCustomReuqestClass中,我扩展了基本请求类,并添加了额外的is/is-is-not secure逻辑
and then in MyCustomReuqestClass, I extended the base request class and added extra is/is-not secure logic
class Request extends \Illuminate\Http\Request
{
/**
* Determine if the request is over HTTPS, or was sent over HTTPS
* via the load balancer
*
* @return bool
*/
public function secure()
{
$secure = parent::secure();
//extra custom logic to determine if something is, or is not, secure
//...
return $secure;
}
public function isSecure()
{
return $this->secure();
}
}
我现在不会这样做.使用该框架几个月后,我意识到Laravel的请求类具有 Symfony请求类作为父类,这意味着Laravel请求继承了Symfony请求对象的行为.
I would not do this now. After working with the framework for a few months, I realized that Laravel's request class has the Symfony request class as a parent, meaning a Laravel request inherits a Symfony request object's behavior.
这意味着您可以通过类似这样的方式告诉Laravel它应该信任哪些代理服务器
That means you can tell Laravel which proxy servers it should trust with something like this
Request::setTrustedProxies(array(
'192.168.1.52' // IP address of your proxy server
));
此代码告诉Laravel它应该信任哪些代理服务器.此后,它应该选择标准的"forwarded for"标题.您可以在 Symfony文档中了解更多有关此功能的信息.
This code tells Laravel which proxy servers it should trust. After that, it should pickup the standard "forwarded for" headers. You can read more about this functionality in the Symfony docs.
这篇关于如何在负载均衡器(ssl_termination)后面使用Laravel 5配置SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
