Add a configuration to force the server port when behind a load balancer

Created on 14 August 2024, 4 months ago
Updated 19 August 2024, 4 months ago

I would like to be able to add a configuration option to force server port to 443 with HTTPS environments when behind a load balancer.
While using SimpleSAML there's a possibility to set this in a config file:

if ($_SERVER['HTTPS'] && $_SERVER['HTTPS'] === 'on') {
  $_SERVER['SERVER_PORT'] = 443;
}

but this seems to be missing now in SAMLAuth.
In our case the RelayState parameter passed to the Idp has the port in it, and it's a wrong one: 8080.

It seems that the SAML PHP Toolkit (/vendor/onelogin/php-saml/src/Saml2) checks the server port setting in Utils.php, which gets called in the SSO login:

else if (isset($_SERVER["SERVER_PORT"])) {
    $portnumber = $_SERVER["SERVER_PORT"];
}

The problem could be solved in the server side too, but I cannot access it in this certain case. See also https://github.com/SAML-Toolkits/php-saml?tab=readme-ov-file#working-beh...

Feature request
Status

Active

Version

3.10

Component

Code

Created by

🇫🇮Finland mlahde

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mlahde
  • 🇫🇮Finland mlahde

    This patch works for us, but is far from stylish. Prolly the setting of the actual port should be somewhere else.
    I'd be interested to know if anybody else has been facing this, and how did you tackle it? I'm still trying to get this in the server side, so this is probably a temporary solution. Yeah, right.
    Used git diff origin/8.x-3.x > force-server-port-3468089-2.patch

  • 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    I believe this is a duplicate of 💬 Force HTTPS for ACS and SLS Closed: works as designed .

    There's a pointer in the samlauth README now, and a pointer to the Drupal documentation page https://www.drupal.org/node/425990 .

    I believe configuring these 'reverse_proxy ' settings is better than solving things in the samlauth module, because 'Drupal thinks the site is on a wrong port/protocol' affects more than just SAML. It's a general Drupal issue.

    If you can't make it work, then I am open to discussing this (like in 💬 How to resolve wrong protocol issue (reverse proxies with dynamic IP)) Needs work ), but I need specific info on why it would not be working. Until further notice I believe you're getting the port/protocol info in some proxy headers that Drupal can pick out,

    If you have suggestions to improve the README to make this more obvious, I'm open to them.

    The Drupal documentation page really needs an overhaul / to be more prominently featured. Realistically... that's not likely to make it to the top of my to-do list.

Production build 0.71.5 2024