Symfony2 behind ELB is redirecting to http instead of https

Question

Issue:

• User logs in with https://example.com/login
• Authentication is approved
• As configured in security.yml Symfony2 redirects user to profile page after login.
• But it redirects them to the wrong url http://example.com/homepage

security.yml:

security:

    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        main:
            pattern:    ^/
            form_login:
                check_path: /login_check
                login_path: /login
                default_target_path: /profile
                provider: fos_userbundle
            logout:
                path:   /logout
                target: /splash
            anonymous: ~

    access_control:
        - { roles: ROLE_USER, requires_channel: https }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }

    acl:
        connection: default

Environment Architecture:

The Server1 and Server2 holds Symfony2 application.

Question:

How to force Symfony to generate redirect URL with https protocol instead http?

So far I have looked at these docs, and the solution didn't work work in my case:

• http://symfony.com/doc/current/cookbook/routing/scheme.html

Answer 1

Take a look at

vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php

AWS ELB's use HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_PORT while Symfony looks the X_FORWARDED_PROTO and X_FORWARDED_PORT headers to judge the connection and its secure status.

You can try changing those keys in the trustedHeaders although I would not recommend directly changing them but finding a way to override those.

protected static $trustedHeaders = array(
        self::HEADER_CLIENT_IP    => 'X_FORWARDED_FOR',
        self::HEADER_CLIENT_HOST  => 'X_FORWARDED_HOST',
        self::HEADER_CLIENT_PROTO => 'HTTP_X_FORWARDED_PROTO',
        self::HEADER_CLIENT_PORT  => 'HTTP_X_FORWARDED_PORT',
    );

Reference - http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-for

Answer 2

1. Make sure that trusted_hosts and trusted_proxies configuration properties are set appropriately.
2. Make sure that your load balancer adds X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port and, what's most important, X-Forwarded-Proto headers to the HTTP request send to the application.

Documentation: Trusting Proxies.

---

EDIT:

As @A23 suggested you should also check if ELB is using "standard" headers names. If not, change them using one of following:

Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X-Proxy-Proto');

Answer 3

I had the exact same problem with a PHP application using AWS and ELB with SSL in a CakePHP application.

My solution was good in some ways and bad in others. The problem was that Amazon sends different HTTPS headers than the PHP headers you look for: $_SERVER['HTTPS'] is off, while Amazon sends alternative HTTPS headers that you can use to identify that it is in fact running under HTTPS:

$_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https'

I worked out that my base URL constant that Cake defined internally had the http protocol in it, so I simply redefined the $_SERVER['HTTPS'] variable on the very first line of my index.php file in Cake - and I wouldn't be surprised if you could do the same in symfony):

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

This allowed my application to continue on, detect HTTPS as being 'on' as would normally be expected and allow Cake to internally manage the protocol in my base URL constant.

Good:

• fixed the problem immediately
• used 3 lines of code

Bad:

• whenever I upgrade my Cake core, I'll have to put this back in again

Answer 4

How to force Symfony to generate redirect URL with https protocol instead http?

You need to explicitly configure the HTTPS protocol because by detection alone, Symfony2 will only guess HTTP as HTTP is used as transport protocol to the application.

So for the component that creates the redirect URI, you need to inject the HTTPS base URI-Scheme. One simple way to do this, is to configure the base-URI as a parameter and then within the configuration.

Example codes are given

• like: http://web.archive.org/web/20130119123312/http://www.dobervich.com/2011/05/19/more-sophisticated-symfony2-login-redirection/
• or: http://web.archive.org/web/20130119124912/http://www.dobervich.com/2011/10/13/login-redirection-revisited/

Answer 5

are you use absolute url for redirection? i was facing a similar issue behind myracloud when we used relative urls on redirection. myracloud "fixed" it and made it absolute, but lost the protocol.

Answer 6

I have solved this kind of issue in my .htaccess, it has the downside that it always redirects to https also not behind a S2 firewall, which is ok in my case since I only have the login form publicly available and I want the credentials to be sent via https

 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule (.*) https://%{SERVER_NAME}/$1 [redirect=permanent,last]

Answer 7

The solutions above did not work for me. I added the following line of code (as suggested in Symfony2's docs http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly) to my web/app.php:

Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

right after

$request = Request::createFromGlobals();

That solved the problem for me in Symfony 2.5.