2

Is there documentation showing how to force HTTPS on Google App Engine - Flexible PHP?

I tried placing secure on app.yaml and I had no luck.

I also tried in the nginx-app.conf placing this but no luck.

I also tried 

set $test "";

if ($http_x_forwarded_proto = 'http') {
    set $test "http";
}

if ($test = 'http-non-cron') {
    return 301 https://$host$request_uri;
}

Other Option I tried

<?php     
     header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");  
     exit();  
?>

but no luck.

Dos
  • 154
  • 2
  • 4
  • 16
  • Related: https://stackoverflow.com/a/48755788/4495081 – Dan Cornilescu Mar 12 '18 at 23:48
  • @DanCornilescu, could you show examples with the X-Forwarded-Proto? I reviewws the link from https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet but I would like a PHP Example – Dos Mar 12 '18 at 23:53
  • I didn't use it myself, I just remembered seeing the answer with the pointer to the official docs. – Dan Cornilescu Mar 12 '18 at 23:55
  • Not a PHP user either, but I see https://stackoverflow.com/questions/768431/how-to-make-a-redirect-in-php – Dan Cornilescu Mar 13 '18 at 00:17
  • @DanCornilescu can you please convey your message(s) in an answer? The community would benefit from having the answer as an _answer_ and you as well :) Or, if you consider the question as a duplicate, flag it. Thank you and mulțumesc. – Tudormi Mar 19 '18 at 12:05
  • Possible duplicate of [How to enforce HTTPS traffic to Google App Engine with custom domain?](https://stackoverflow.com/questions/48752601/how-to-enforce-https-traffic-to-google-app-engine-with-custom-domain) – Dan Cornilescu Mar 19 '18 at 13:29
  • @DanCornilescu the answer is not posted in the link as the secure header in app.yaml has been deprecated – Dos Mar 19 '18 at 15:26
  • Yes, that's mentioned in one of the answers to that question. – Dan Cornilescu Mar 19 '18 at 20:26

1 Answers1

2

Use the following code (remove -non-cron from the comparison):

set $test "";

if ($http_x_forwarded_proto = 'http') {
    set $test "http";
}

if ($test = 'http') {
    return 301 https://$host$request_uri;
}

If you have cron handler, you have to allow http access for those handlers with configurations like the following:

set $test "";

if ($http_x_forwarded_proto = 'http') {
    set $test "http";
}
if ($request_uri != '/cron/') { # everything under /cron/
    set $test "${test}-non-cron";
}
if ($test = 'http-non-cron') {
    return 301 https://$host$request_uri;
}
Takashi Matsuo
  • 3,406
  • 16
  • 25