在CakePHP的SSL的最佳原则 [英] Best pratice for SSL in CakePHP
问题描述
我想为所有网页实施HTTPS。
我使用CakePHP 2.3的「Auth」元件。
实际上,我发现的唯一一种方法是添加一个beforeFilter-condition。
但是这很脏,因为我有很多 -SSL请求,因为Auth-Component。
AppController.php --->
class AppController extends Controller {
public function beforeFilter(){
if(env(SERVER_PORT)!=443){
$ this- > Security-> blackHoleCallback ='forceSSL';
$ this-> Security-> requireSecure();
}
}
public function forceSSL(){
$ this-> redirect('https://'。env('SERVER_NAME')。$ this-> here);
}
}
< br>
当我没有登录并且尝试访问我的网站时出现此问题
- >
- GET hxxp:// MYSITE / - > 302 hxxp s / MYSITE /(beforeFilter-redirection)
- GET hxxp s :// MYSITE / - > 302 hxxp:// MYSITE / users / login(Auth component)
- GET hxxp:// MYSITE / users / login - > 302 hxxp s // MYSITE / users / login - > 200
- GET hxxp s strong>
- POST hxxp s :// MYSITE / users / login(with creds) - > 302 hxxp:// MYSITE /(Auth组件)
- GET hxxp:// MYSITE / - > 302 hxxp s :// MYSITE / / li>
- GET hxxp s :// MYSITE / - > 200
SO,你知道另一种方法。
注意:我不得不在core.php中强制安全我的cookie,因为他们不是。
core.php --->
配置:: write('Session',array(
'defaults' =>'php',
'ini'=> array(
'session.cookie_secure'=> true
)
请注意,我也尝试强制SSL
CakePHP中默认的.htaccess文件是
< IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^ $ app / webroot / [L]
RewriteRule(。*)app / webroot / $ 1 [L]
< / IfModule>
我试图添加:
RewriteCond%{SERVER_PORT} 80
RewriteRule ^(。*)$ https://www.example.com/$1 [R,L]
最后,我选择的解决方案是:
-
正在删除/app/webroot/.htaccess和/app/.htaccess
-
修改/.htaccess到
.htaccess --->
RewriteEngine on
RewriteCond%{SERVER_PORT}!^ 443 $
RewriteRule。* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
- 在Cake中禁用网址重写
core.php --->
.baseUrl',env('SCRIPT_NAME'));
现在可通过 hxxps:// www.mysite.com/index.php/controller/action
I'd like to implement HTTPS for all pages.
I use CakePHP 2.3 with the "Auth" component.
Actually the only one way I found is to add a "beforeFilter-condition".
But this is very dirty because I have a lot of "not-SSL" requests because of Auth-Component.
AppController.php --->
class AppController extends Controller {
public function beforeFilter() {
if (env("SERVER_PORT") != "443") {
$this->Security->blackHoleCallback = 'forceSSL';
$this->Security->requireSecure();
}
}
public function forceSSL() {
$this->redirect('https://' . env('SERVER_NAME') . $this->here);
}
}
The problem appears when I am not logged in and I try to access my website
- Request --> Response (because of)
- GET hxxp://MYSITE/ --> 302 hxxps://MYSITE/ (beforeFilter-redirection)
- GET hxxps://MYSITE/ --> 302 hxxp://MYSITE/users/login (Auth component)
- GET hxxp://MYSITE/users/login --> 302 hxxps://MYSITE/users/login (beforeFilter-redirection)
- GET hxxps://MYSITE/users/login --> 200
- POST hxxps://MYSITE/users/login (with creds) --> 302 hxxp://MYSITE/ (Auth component)
- GET hxxp://MYSITE/ --> 302 hxxps://MYSITE/
- GET hxxps://MYSITE/ --> 200
SO, do you know another way to do that.
NB: I had to force secure my cookie in core.php because they weren't.
core.php --->
Configure::write('Session', array(
'defaults' => 'php',
'ini' => array(
'session.cookie_secure' => true
)));
Note that I also tried to force SSL by modifying .htaccess but all I get is infinite loop.
EDIT :
The default .htaccess in CakePHP is
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>
What I tried to add :
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
解决方案 Finally, the solution I chose was:
Deleting /app/webroot/.htaccess and /app/.htaccess
Modifying /.htaccess to
.htaccess --->
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
- Disabling URL-Rewriting in Cake
core.php --->
Configure::write('App.baseUrl', env('SCRIPT_NAME'));
Now access is via hxxps://www.mysite.com/index.php/controller/action
这篇关于在CakePHP的SSL的最佳原则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
