phpcakephpsslhttpscakephp-1.3

CakePHP Force SSL - env('HTTPS') always null


I've tried quite a few different solutions (here, here, here, here) but almost all of them caused either 404 or infinately loops.

Finally I found this question which seems to get the closest to working; but it also causes an error in Firefox when I try to load one of the actions I wish to require SSL on:

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.

Finally through a bunch of debugging I have found that env('HTTPS') always returns null for some reason (as does $this->RequestHandler->isSsl(); and $_SERVER['HTTPS']) even when I'm using an HTTPS connection. I cannot understand why this is happening, since my browser reports that I am SSL secure and my certificate seems to be installed correctly.

More Info

nginx server

listen 80;
listen 443 ssl;

ssl_certificate     /etc/ssl/certs/domain.chain.crt;
ssl_certificate_key /etc/ssl/private/domain.key;
...

App Controller

var $secureItems = array('login', 'edit', 'viewDocs');

function beforeFilter() {
    $this->Auth->allow('index', 'display');
    $this->set('loggedUser', $this->Auth->user());

    $this->__checkSSL();
}

__checkSSL() and supporting functions are directly from the previously link question (this one).

Pages load fine in HTTP and HTTPS as long as its not one of the actions I have listed in $secureItems as soon as I go to one of those actions (either HTTP or HTTPS) it infinately redirects.

Any help is appreciated!

Edit:

I am pretty sure the issue is an infinite loop caused by env('HTTPS') always being null. Since its null the check condition is always false and makes it redirect to an HTTPS URL even though its already on one.

Is there another way I can check for HTTPS or can someone tell me why env('HTTPS') is always returning null?


Solution

  • You're edit is a step in the right direction...

    It is down to the web server to set environment variables such as $_SERVER['HTTPS'].

    If this has a no value, you need look no further than the web server - nginx in your case - or at any web servers inbetween (reverse proxies, etc.)

    I don't have any experience with SSL on nginx in particular, but from what I can gather you need to make sure nginx is sending fastcgi_param HTTPS on for connections on port 443.

    Adding something like this, perhaps:

    server {
        listen 443;
        server_name example.com;
    
        ssl on;
        fastcgi_param HTTPS on;
    
        # ...
    }
    

    Search for "nginx fastcgi_param HTTPS" for other config examples.

    I also found some other variables that may be of use further down the line.