- Issue created by @ciesinsg
- Status changed to Needs work
about 1 year ago 9:43pm 19 December 2023 - 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
Please try the literal value 'REMOTE_ADDR' instead of an IP address.
See https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-... . This documents Symfony, which is used by Drupal -- the
$settings['reverse_proxy_addresses']
value is (AFAICT) completely equivalent to what that page documents as thetrusted_proxies:
configuration value.Why you should do this: it's not only this module. More examples of what will go wrong / is ideal, at this comment → . Also, the popular metatag module will have some values/tokens/tags that will start with http:// when you really want them to be https://.
I didn't try, but am fairly confident this will work. Please keep this issue status at "Needs work" for... someone to update the samlauth README and/or the linked drupal.org documentation page with this info. Eventually it will happen.
- 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
Oh, and point 1 over at https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-... implies that you are implicitly trusting that Cloudfront did not misconfigure their stuff / is not letting anything except their dedicated reverse proxies contact your web application.
Because that would be dangerous / insecure.
(But sure you can trust Cloudfront.)
- 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
Oh, I didn't even read the Symfony page all the way. Apparently there are issues with cloudfront and you need to configure additional IPs.
You can also try the patch from 💬 Force HTTPS for ACS and SLS Closed: works as designed . I've closed that issue as "works as designed", and am not planning to commit it... unless more people say they really want it, despite the fact that their Drupal site can be regarded "not fully functional in theory".
- 🇨🇦Canada ciesinsg
Hi Roderik, thanks once again for assisting with my query. I have found a working configuration that resolves the protocol issue very simply. It seems that it is a match your suggestion as well:
$settings['reverse_proxy'] = TRUE; $settings['reverse_proxy_addresses'] = array($_SERVER['REMOTE_ADDR']);
For Trusted headers, I checked with my server team to see which header we are using, so I imagine this part could differ depending on server specifics:
$settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;
The site is now generating the right ACS Url using https instead of http.