After pointed in the right direction here Laravel 5.4 relative instead of absolute 302 redirects
I've been trying to get Laravel TrustProxies middleware to work, but seems to be ignoring X_FORWARDED_PROTO header.
My scenario
My app in Laravel (just upgraded from 5.4 to 5.5) is behind a load balancer, which translates all traffic from HTTPS to HTTP.
My problem
All redirects are going over HTTP instead of original protocol HTTPS.
Attempted Solution
Upgrade from Laravel 5.4 to 5.5 and take advantage of the TrustProxies middleware now shipped with Laravel out of the box.
Middleware has:
protected $proxies = '*';
/**
* The current proxy header mappings.
*
* @var array
*/
protected $headers = [
Request::HEADER_FORWARDED => 'FORWARDED',
Request::HEADER_X_FORWARDED_FOR => 'X_FORWARDED_FOR',
Request::HEADER_X_FORWARDED_HOST => 'X_FORWARDED_HOST',
Request::HEADER_X_FORWARDED_PORT => 'X_FORWARDED_PORT',
Request::HEADER_X_FORWARDED_PROTO => 'X_FORWARDED_PROTO',
];
App\Http\Kernel has registered the middleware:
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
\App\Http\Middleware\TrustProxies::class,
];
My findings:
Tcp dump from the server reveals the header:
Request:
GET / HTTP/1.1
X_FORWARDED_PROTO: HTTPS
Host: mywebsiteaddress.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
But the Response has Location over HTTP:
HTTP/1.1 302 Found
Date: Wed, 08 Nov 2017 18:03:48 GMT
Server: Apache/2.4.18 (Ubuntu)
Cache-Control: no-cache, private
Location: http://mywebsiteaddress.com/home
Set-Cookie: laravel_session=eyJp...In0%3D; expires=Wed, 08-Nov-2017 20:03:48 GMT; Max-Age=7200; path=/; HttpOnly
Content-Length: 376
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Additional comments:
Since my app was upgraded from 5.4 to 5.5, I copied the class TrustProxies that otherwise would've been there in a 5.5 fresh installation. Then I registered it in the Kernel.
Maybe I'm missing a step here.
My hope:
That my tiredness is not clouding my mind that I'm overlooking a simple mistake.
Any suggestions, thank you in advance!
Update:
Enabled log_forensics module in Apache and I see the x-forwarded-proto header in the request.
GET / HTTP/1.1
X_FORWARDED_PROTO:HTTPS
Host:mywebsiteaddress.com
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv%3a56.0) Gecko/20100101 Firefox/56.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US,en;q=0.5
Accept-Encoding:gzip, deflate, br
Connection:keep-alive
Upgrade-Insecure-Requests:1
Cache-Control:max-age=0
Any clue why Laravel may not have in the headers array?
