0

We have a client that hosts their IIS web server on AWS. When navigating to a particular PHP web application on this server, it works when there is a slash on the end, but not when it is absent.

this works: https://example.com.au/application/

However, if one were to enter this into the address bar: https://example.com.au/application

it redirects to the equivalent http address with a slash on the end: http://example.com.au/application/

http is disabled via the firewall, so the result is an error.

Here is the request details in Chrome debugger enter image description here

So my question is, what does my client need to check to ensure this redirect does not occur? or that instead of redirecting to HTTP, it redirects to HTTPS?

Additional info:

  • This same issue does not seem to occur with .NET web applications. Eg 'https://example.com.au/dotnetapp' will not redirect to 'http://example.com.au/dotnetapp/'.
  • There are no rules configured in "URL rewrite"
  • IIS logs show requests when the HTTPS url is triggered, but not the HTTP one. Edit: This seems to be due to browser caching. After disabling browser caching, i can see the 301 entry in the log files.
  • 'index.php' is set as a default document
Notaras
  • 611
  • 1
  • 14
  • 44
  • How do you navigate? Is url rewrite used? or you can use [failed request tracking](https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-failed-request-tracing-to-trace-rewrite-rules) to view detailed error information. – samwu Oct 01 '21 at 09:39

2 Answers2

2

One possible reason is that the PHP project doesn't know that the secure connection is active and so it's redirecting the page to the http version when adding the slash.

PHP application can detect the secure connection by the $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_SCHEME']. But if the application is behind some reverse proxy (e.g. Varnish or Amazon’s Elastic Load Balancer), the connection to the PHP application is probably not secured. PHP should be informed about the original secure connection with X-Forwarded-* headers. Please check if the PHP has these variables set:

  • $_SERVER['HTTP_X_FORWARDED_PROTO']: should be https,
  • $_SERVER['HTTP_X_FORWARDED_PORT']: should be 443.

Symfony framework

If the application is using the framework, e.g. Symfony, it should be configured to trust the IP of the reverse proxy and to trust also these headers:

# config/packages/framework.yaml
framework:
    # ...
    # the IP address (or range) of your proxy
    trusted_proxies: '192.0.0.1,10.0.0.0/8'
    # trust *all* "X-Forwarded-*" headers
    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
    # or, if your proxy instead uses the "Forwarded" header
    trusted_headers: ['forwarded']

See https://symfony.com/doc/current/deployment/proxies.html for more details and https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly for more detaiils if the IP address of reverse proxy server changes.

pulzarraider
  • 2,297
  • 19
  • 26
0

Looks like you are setting location header in the 'index.php' file and so browser is redirecting to the http url.

If the index.php has code like below, replace the http to https and to the correct URL

header("location:http://example.com.au/application/");

Updated :

Also check your folder to see if any other files are redirecting. Please make sure the index.php is listed as the first in the default document list and none of the other files contain redirect code.

You can search for "meta http-equiv="refresh" http tags in all the files in folder to see if they are redirecting.

Pran Joseph
  • 97
  • 4
  • the application has only one file (index.php) and one line of code in it: `echo "hello";`. There is no header redirect in it – Notaras Oct 05 '21 at 23:41