[DX] Log potential redirect loops caused by forced HTTPS #27605
Conversation
|
I have also submitted symfony/symfony-docs#9924 to help point developers in the right direction via documentation. That PR does not document this change, it just provides a different avenue to notify the developer about the potential issue. Feel free to merge that instead of this (or merge both! 😃) |
| @@ -47,6 +47,9 @@ public function handle(GetResponseEvent $event) | |||
| if ('https' === $channel && !$request->isSecure()) { | |||
| if (null !== $this->logger) { | |||
| $this->logger->info('Redirecting to HTTPS.'); | |||
| if ('https' === $request->headers->get('X-Forwarded-Proto')) { | |||
| $this->logger->debug('Possible redirect loop - did you set "trusted_proxies" correctly?'); | |||
There was a problem hiding this comment.
This log message could be triggered by anybody who sends HTTP requests to the server with that header:
curl http://www.example.com -H 'X-Forwarded-Proto: https'If the site is configured to log messages with a minimum severity of warn or higher then their logs could potentially be flooded with "false positives". Using debug() would prevent that from happening unless the site is configured to log debug messages (which I'd assume somebody might do if they had an unexpected redirect loop and were looking for clues).
That being said, I'm not strongly opposed to using a different log level if others feel that it is more appropriate.
There was a problem hiding this comment.
since there is already an info level message, we could merge the new with the existing one:
$this->logger->info('Redirecting to HTTPS ("X-Forwarded-Proto" is set to "https" - did you set "trusted_proxies" correctly?).');
There was a problem hiding this comment.
Good idea! I've made it so that only one message will ever be logged.
| @@ -47,6 +47,9 @@ public function handle(GetResponseEvent $event) | |||
| if ('https' === $channel && !$request->isSecure()) { | |||
| if (null !== $this->logger) { | |||
| $this->logger->info('Redirecting to HTTPS.'); | |||
| if ('https' === $request->headers->get('X-Forwarded-Proto')) { | |||
There was a problem hiding this comment.
this could also handle rfc7239's "proto" parameter
There was a problem hiding this comment.
I've added an additional check for this parameter.
15748c7 to
7714655
Compare
If the developer forgets/fails to set "trusted_proxies" properly, forcing the https channel can cause infinite redirect loops. This change will hopefully help them identify the problem faster. See symfony#27603
7714655 to
53048ce
Compare
|
Thank you @colinodell. |
…PS (colinodell) This PR was merged into the 4.2-dev branch. Discussion ---------- [DX] Log potential redirect loops caused by forced HTTPS | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #27603 | License | MIT | Doc PR | n/a If the developer forgets/fails to set "trusted_proxies" properly, forcing the https channel can cause infinite redirect loops. This change will hopefully help them identify the problem faster. See #27603 Commits ------- 53048ce Log potential redirect loops caused by forced HTTPS
If the developer forgets/fails to set "trusted_proxies" properly, forcing the
https channel can cause infinite redirect loops. This change will hopefully
help them identify the problem faster.
See #27603