Director::forceSSL does not force SSL when using #7492
Comments
|
My view is we stop recommending using forceSSL - instead use a middleware to force SSL or serverside config. However, the problem is |
|
OK - so I've looked into this - calling This means that you can't make changes based on request state at this point in SS4. So the solution is either create an SSL middleware or add this to a controller init method. See #7215 (comment) for some more info |
|
both forceSSL and forceWWW should be moved to middlewares or just fully deprecated in favour of server side configuration IMO |
|
I'm going to close this as "not a bug" if we have docs that recommend putting the |
|
Well my 2c should be we either remove the function because it doesn't do what it says on the tin, or b we keep the function, detect that HTTPRequest hasn't been built and throw an exception as currently it's a change from 3.6. Forum is littered with use of |
|
@silverstripe/core-team thoughts please? |
|
I am in favour of throwing exception to prevent silent failures. |
|
Not keen to break APIs just now. Would recommend that Then the middleware can do the hard work, as Dan suggests. I'd probably design the middleware to be a little more generic than just forceSSL: cover force ssl, add www, canonicalise domain name. |
|
Maybe not setting a config value (setting config outside of YML isn't recommended anymore) but yes some flag that triggers the later middleware would be great :) That way forceSSL() in _config.php would work normally. |
|
Setting config isn't recommended, but neither is |
|
Yes we can deprecate it with a new middleware at the same time. :) |
|
OK - are we happy to add new middleware now we are in RC or will this change have to wait? |
|
I think 4.1 is fine. |
|
IMHO it should be |
|
Marked as a high bug because SSL matters. Note that fixing this bug will probably involve creating a new configuration point / middleware and deprecating this one, but that doesn't stop is being a bug. |
Do you mean that they have multiple certificates / domain names that their site operates under, or is there a single canonical HTTPS domain that everyone should be redirected to? Just wondering to help flesh out how we structure the undeprecated API. |
|
Ok, let's fix in rc2? |
|
From an operational and deployment perspective I would like to mention that any redirection logic should not be triggered in CLI environments. This has in the past been surfaced bugs where for example it's been triggered on dev/builds or other tasks with the result of a sudden exit without any output. |
|
I believe in CLI the expected behaviour is that it would immediately process the redirected URL. It's not consistently implemented though. We may want to adjust our expectations here. :) |
|
Yeah, absolutely, just want to make sure we all realise there are 2 supported environments for SilverStripe :) |
|
SSL redirection is a specialised case of redirection, other cases are redirecting to a specific domain or subdomain (domain.com -> www.domain.com, ie domain canonicalization). If you are running several websites on a server you would then need to set up multiple virtual hosts with a list of listening domains. If then SilverStripe does the redirection, you would need to synchronise the domains and redirections between the SilverStripe application and the web server / forward proxies. The above might be a bit more complicated case, but I think it highlights that it's easy to cause unexpected bugs in production mode that cannot easily be reproduced in dev / UAT environments. For simple setups, where the web server just points to a document root for all incoming connections, it's easy enough for SilverStripe to take care of all redirection/domain checking. I don't have a good answer on where the responsibilities of a web server end and SilverStripes begin. |
|
I would propose expected behaviour for forceSSL() in CLI is that the request was processed where is_https() would return true. It could be as simple as modifying the protocol of the current request object, or otherwise it could re-start a request with this flag set. This would be necessary for code paths which generate links based on the "current url", which should then have the necessary |
|
Doing #7509 in 4.1 would make CLI behaviour of forceSSL less important :-) |
|
I just noticed that when running "sake dev/build" from the command line, the base_path will always be http, even though I have https in This is a problem when generating static files (like error-404.html). I read this issue and #7509 but I am not sure if this has been solved, or if there is a solution I can apply to my project (apart from running dev/build from a browser instead.) I am guessing this is the same issue, but I am not sure. Is this something you knew already? |
|
@jmfederico we fixed this recently with #8028, it'll be released soon |
|
@robbieaverill thanks, missed that PR. |
Might just be something to note in the
.envdocumentation but this is something I caught in production today:Defined a base URL in
.envSS_BASE_URL="https://www.site.co.nz/"In
app/_config.php:Director::forceSSL();.Result:
Accessing http://www.site.co.nz incorrectly works, no redirection takes place as the check in Director::is_https() fails with the provided SS_BASE_URL.
Fix is to use the non-ssl version in the
.envfile but I think that's a simple issue for users to trip up on and could result in users being able to access pages over HTTP.PR:
The text was updated successfully, but these errors were encountered: