Contrib.social

How to resolve wrong protocol issue (reverse proxies with dynamic IP))

Open on Drupal.org β†’
Created on 19 December 2023, 6 months ago
Updated 20 December 2023, 6 months ago

Problem/Motivation

I am having difficulties to configure this module to use https instead of http. Before anyone asks, I have read the README thoroughly, including the Q/A "Q: The 'Metadata URL' (displayed in the configuration screen) has a wrong protocol/host. How can I fix this?"

This directed me to an article about load balancers β†’ which recommended a configuration that is not applicable for me. The issue is that the solution suggested is to add the reverse proxy IPs to the settings.php file, but we are using Cloudfront cdn and the IPs are dynamic. This results in the ACS being generated with http which cannot be configured on our end with Azure.

I have used an alternative SSO module miniOrange which allowed you to edit the ACS so that it is https instead of http which worked without issues. Unfortunately, that module locks attribute mapping behind a paywall so I would prefer to use SAML Auth instead, however I can't find any way to get the ACS url to generate correctly.

Has anybody here faced this issue and can suggest alternative solutions or workarounds for this issue?

πŸ’¬ Support request
Status

Needs work

Version

3.9

Component

Miscellaneous

Created by

πŸ‡¨πŸ‡¦Canada ciesinsg

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @ciesinsg
  • Status changed to Needs work 6 months ago
  • Comment 6 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Please try the literal value 'REMOTE_ADDR' instead of an IP address.

    See https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-... . This documents Symfony, which is used by Drupal -- the $settings['reverse_proxy_addresses'] value is (AFAICT) completely equivalent to what that page documents as the trusted_proxies: configuration value.

    Why you should do this: it's not only this module. More examples of what will go wrong / is ideal, at this comment β†’ . Also, the popular metatag module will have some values/tokens/tags that will start with http:// when you really want them to be https://.

    I didn't try, but am fairly confident this will work. Please keep this issue status at "Needs work" for... someone to update the samlauth README and/or the linked drupal.org documentation page with this info. Eventually it will happen.

  • Comment 6 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Oh, and point 1 over at https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-... implies that you are implicitly trusting that Cloudfront did not misconfigure their stuff / is not letting anything except their dedicated reverse proxies contact your web application.

    Because that would be dangerous / insecure.

    (But sure you can trust Cloudfront.)

  • Comment 6 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU
  • Comment 6 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Oh, I didn't even read the Symfony page all the way. Apparently there are issues with cloudfront and you need to configure additional IPs.

    You can also try the patch from πŸ’¬ Force HTTPS for ACS and SLS Closed: works as designed . I've closed that issue as "works as designed", and am not planning to commit it... unless more people say they really want it, despite the fact that their Drupal site can be regarded "not fully functional in theory".

  • Comment 6 months ago β†’
    πŸ‡¨πŸ‡¦Canada ciesinsg

    Hi Roderik, thanks once again for assisting with my query. I have found a working configuration that resolves the protocol issue very simply. It seems that it is a match your suggestion as well: 

    $settings['reverse_proxy'] = TRUE;
$settings['reverse_proxy_addresses'] = array($_SERVER['REMOTE_ADDR']);

    For Trusted headers, I checked with my server team to see which header we are using, so I imagine this part could differ depending on server specifics:

    $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;

    The site is now generating the right ACS Url using https instead of http.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024