Forcing channel https doesn't work on Amazon AWS

[ArlingtonHouse]

Regarding: symfony-docs / cookbook / security / force_https.rst

The default proxy header that Symfony2 looks for from load balancers or proxies is $_SERVER['X_FORWARDED_PROTO']. However there is no standard for this and Amazon load balancers provide $_SERVER['HTTP_X_FORWARDED_PROTO'] . As a result, $request->isSecure() returns as http, even when force https is set, and there is an endless redirect loop. I'm not sure how to override the default values but the cookbook should make a note about this gotcha.

[xabbuh]

We could add a note and link it to the Configuring Header Names section.

[stof]

Symfony does not check $_SERVER['X_FORWARDED_PROTO']. It checks the X_FORWARDED_PROTO HTTP header. and HTTP headers keys are prefixed by HTTP_ in $_SERVER.

My guess is that you haven't added the load balancer to the list of trusted proxies.

[ArlingtonHouse]

Hi stof, that's correct. Not sure how to add that as a trusted proxy in the context of channel force https.

[cordoval]

My guess is that you haven't added the load balancer to the list of trusted proxies.

I doubt there is any special context @ArlingtonHouse , did you solve this problem? please close it if so
If this really requires to override a class or some sort of specialized configuration then this merits a cookbook. However I doubt this is the case.

[cordoval]

This is somewhat a duplicate of #2491

is safe to close @wouterj

[ricardclau]

I have used Symfony in AWS in different projects and all issues with https have been related to what @stof says, basically you need to add the ELB to the list of trusted proxies.

The easiest way to do that if you use AWS or any similar cloud environment is to add this to the front controller:

   Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

Beware that the IPs in the ELB may change in cloud environments but also that you are basically allowing anyone to fake this behaviour if there is direct network access to the boxes.

So, please ensure that you cannot curl the servers directly but only via the ELB in front.

@cordoval @wouterj @stof do you think this should be added to http://symfony.com/doc/current/components/http_foundation/trusting_proxies.html#configuring-header-names ?

[weaverryan]

@ricardclau I've just taken your idea and created a new entry in #4102 :).

[weaverryan]

We've just merged an article that talks much more directly about working with Symfony from behind a reverse proxy.

Thanks for the report!