如何在Nginx反向代理后面的CakePHP中安全地检测SSL? [英] How can I securely detect SSL in CakePHP behind an nginx reverse proxy?
问题描述
CakePHP(我看到的所有版本)检查 $ _ SERVER ['HTTPS'] 以查看是否通过HTTPS而不是纯HTTP发出请求。
我使用nginx作为负载平衡器,后面是Apache应用服务器。由于SSL连接在负载平衡器处终止,因此
$ b b $ b $ _ SERVER ['HTTPS'] $ b
我想找到一个安全的方式来检测应用服务器上的HTTPS。
到目前为止,我把它放到我的CakePHP配置中:
$ request_headers = getallheaders();
if((isset($ _ SERVER ['HTTPS'])&& $ _SERVER ['HTTPS'])||(isset($ request_headers ['X-Forwarded-Proto'])&& $ request_headers ['X-Forwarded-Proto'] =='https')){
$ ssl = true;
//覆盖环境vars(ugly),因为CakePHP不会支持X-Forwarded-Proto
$ _SERVER ['HTTPS'] ='on';
$ _ENV ['HTTPS'] ='on';
} else {
$ ssl = false;
}
然后在nginx配置中,我使用了 proxy_set_header X-Forwarded-Proto https; 将标记添加到负载均衡器和后端应用程序服务器之间的任何请求。
这完全正常,但任何人直接请求应用程序服务器可能会欺骗他们认为他们正在浏览SSL,当他们不是。我不知道这是否是一个安全风险,但它似乎不是一个好主意。
这是一个安全风险吗?
因为使用 X-Forwarded-Proto 看起来像标准的标准,解决方案可能是一个很好的补丁提交给CakePHP核心,所以我认为任何答案都可以合法地涉及编辑核心文件。
mod_rpaf 会让你这样做。
这会设定Apache的HTTPS值到on基于nginx发送的头,所以Cake将开箱即用(以及Apache中运行的任何其他应用程序)。
它还会更正REMOTE_ADDR,SERVER_PORT和HTTP_HOST的值。
这是我的示例config:
< IfModule mod_rpaf.c>
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
< / IfModule>
#如果mod_rewrite重定向,那么我们失去HTTPS状态为REDIRECT_HTTPS。
#这将重置它。这发生在Cake的前台控制器
< IfModule setenvif_module>
SetEnvIf REDIRECT_HTTPS on HTTPS = on
< / IfModule>
CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to see whether a request has been made over HTTPS instead of plain HTTP.
I'm using nginx as a load balancer, behind which are the Apache application servers. Since the SSL connection terminates at the load balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned.
I'd like to find a secure way to detect HTTPS on the app servers.
So far, I've put this into my CakePHP configuration:
$request_headers = getallheaders();
if ( (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) || ( isset($request_headers['X-Forwarded-Proto']) && $request_headers['X-Forwarded-Proto'] == 'https' ) ) {
$ssl = true;
// overwrite environment vars (ugly) since CakePHP won't honour X-Forwarded-Proto
$_SERVER['HTTPS'] = 'on';
$_ENV['HTTPS'] = 'on';
} else {
$ssl = false;
}
And then in the nginx configuration, I've used proxy_set_header X-Forwarded-Proto https; to add the flag to any requests between the load balancer and the back-end application servers.
This works perfectly fine, but anyone making a direct request to the app servers could fool them into thinking they are browsing over SSL when they're not. I'm not sure whether this is a security risk, but it doesn't seem like a good idea.
Is it a security risk? What's the better solution?
Since using X-Forwarded-Proto seems like something of a standard, the solution may be a good patch to be submitted to the CakePHP core, so I think any answer can legitimately involve editing core files too.
mod_rpaf will let you do this.
This sets the HTTPS value in Apache to "on" based on the headers sent by nginx so Cake will work out of the box (as well as any other apps run in Apache).
It also corrects the values for REMOTE_ADDR, SERVER_PORT and HTTP_HOST.
Here is my example config:
<IfModule mod_rpaf.c>
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
</IfModule>
# If mod_rewrite redirects then we lose the HTTPS status to REDIRECT_HTTPS.
# This resets it back. This happens with Cake's front controller
<IfModule setenvif_module>
SetEnvIf REDIRECT_HTTPS on HTTPS=on
</IfModule>
这篇关于如何在Nginx反向代理后面的CakePHP中安全地检测SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
