Symfony2 behind ELB is redirecting to http instead of https

Question

Issue:

• User logs in with https://example.com/login
• Authentication is approved
• As configured in security.yml Symfony2 redirects u

Answer 1

How to force Symfony to generate redirect URL with https protocol instead http?

You need to explicitly configure the HTTPS protocol because by detection alone, Symfony2 will only guess HTTP as HTTP is used as transport protocol to the application.

So for the component that creates the redirect URI, you need to inject the HTTPS base URI-Scheme. One simple way to do this, is to configure the base-URI as a parameter and then within the configuration.

Example codes are given

• like: http://web.archive.org/web/20130119123312/http://www.dobervich.com/2011/05/19/more-sophisticated-symfony2-login-redirection/
• or: http://web.archive.org/web/20130119124912/http://www.dobervich.com/2011/10/13/login-redirection-revisited/

Answer 2

The solutions above did not work for me. I added the following line of code (as suggested in Symfony2's docs http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly) to my web/app.php:

Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

right after

$request = Request::createFromGlobals();

That solved the problem for me in Symfony 2.5.

Answer 3

I had the exact same problem with a PHP application using AWS and ELB with SSL in a CakePHP application.

My solution was good in some ways and bad in others. The problem was that Amazon sends different HTTPS headers than the PHP headers you look for: $_SERVER['HTTPS'] is off, while Amazon sends alternative HTTPS headers that you can use to identify that it is in fact running under HTTPS:

$_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https'

I worked out that my base URL constant that Cake defined internally had the http protocol in it, so I simply redefined the $_SERVER['HTTPS'] variable on the very first line of my index.php file in Cake - and I wouldn't be surprised if you could do the same in symfony):

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

This allowed my application to continue on, detect HTTPS as being 'on' as would normally be expected and allow Cake to internally manage the protocol in my base URL constant.

Good:

• fixed the problem immediately
• used 3 lines of code

Bad:

• whenever I upgrade my Cake core, I'll have to put this back in again

Answer 4

1. Make sure that trusted_hosts and trusted_proxies configuration properties are set appropriately.
2. Make sure that your load balancer adds X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port and, what's most important, X-Forwarded-Proto headers to the HTTP request send to the application.

Documentation: Trusting Proxies.

---

EDIT:

As @A23 suggested you should also check if ELB is using "standard" headers names. If not, change them using one of following:

Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X-Proxy-Proto');

Answer 5

are you use absolute url for redirection? i was facing a similar issue behind myracloud when we used relative urls on redirection. myracloud "fixed" it and made it absolute, but lost the protocol.

Answer 6

Take a look at

vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php

AWS ELB's use HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_PORT while Symfony looks the X_FORWARDED_PROTO and X_FORWARDED_PORT headers to judge the connection and its secure status.

You can try changing those keys in the trustedHeaders although I would not recommend directly changing them but finding a way to override those.

protected static $trustedHeaders = array(
        self::HEADER_CLIENT_IP    => 'X_FORWARDED_FOR',
        self::HEADER_CLIENT_HOST  => 'X_FORWARDED_HOST',
        self::HEADER_CLIENT_PROTO => 'HTTP_X_FORWARDED_PROTO',
        self::HEADER_CLIENT_PORT  => 'HTTP_X_FORWARDED_PORT',
    );

Reference - http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-for