I downloaded ngrok so i can test my site for http and https requests (if someone is trying to get in my site specific url and it will be a simple http request, i will deny it),
first, my localhost is working in 8080 port
I start ngrok, it gives me the following:
both at the same port, it's a problem i think, because if i do such simple route configuration in laravel:
Route::filter('force.ssl', function()
{
if( ! Request::secure())
{
return 'unsecured';
}
});
and i have this route:
Route::get('survey/payment/secured', array('before' => 'force.ssl', function(){
return 'secured!';
}));
and i do the following request:
https://75fdaa96.ngrok.com/survey/payment/secured
it thinks it unsecured and returns 'unsecured', how can i fix this?
Request::secure() relies on $_SERVER['HTTPS']. As the HTTPS is being provided by the proxy, not your webserver, Laravel doesn't know it's being served as HTTPS.
ngrok does pass the X-Forwarded-Proto header, but Laravel doesn't trust it by default. You can use the trusted proxy middleware to trust it.
Related
I am using nodejs for serving my angular application, and artisan for my laravel API. I would like to let the angular app communicate with the API, but I can't make it work. As far as I know, I can't run both on the same port, as only one app can be run on a port, however, I can't run them on different ports because then my front end app would not be able to send request to the API. I tried to send the request to the server by localhost:8000/login (authentication) but as my front end runs on port 3000 it just can't reach it.
Here's how I start my servers:
node server (starts on port 3000)
php artisan serve (optionally setting port by --port=8000
Is this way even right? I'm new to this kind of concept. What would be the best practice for reaching the API from the frontend?
Update:
When running both servers on the same port I get the error message from google chrome console:
angular.js:11756 POST http://localhost:3000/localhost/login 404 (Not Found)
When running frontend on port 3000 and API on 8000 I get this:
angular.js:11756 XMLHttpRequest cannot load localhost:8000/login. Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource.
If I don't define the port for the request it uses the same as the server running on (this case port 3000). If I specify the port I get the error above.
One other thing I tried is putting http:// before the url, then I get this error:
angular.js:11756 POST http://localhost:8000/login (anonymous function) # angular.js:11756sendReq # angular.js:11517serverRequest # angular.js:11227processQueue # angular.js:15961(anonymous function) # angular.js:15977Scope.$eval # angular.js:17229Scope.$digest # angular.js:17045Scope.$apply # angular.js:17337(anonymous function) # angular.js:25023defaultHandlerWrapper # angular.js:3456eventHandler # angular.js:3444
:3000/#/login:1 XMLHttpRequest cannot load http://localhost:8000/login. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 405.
I am working on Application with nodejs and PHP along with Mysql
PHP is frontend here, nodejs is backend
Now
I created a form and while creating a form
i am sending ajax request to Nodejs
like
url: http://example.com:8124/sign_in
Which is working fine
Now Problem is that
When i enabled ssl on Apache.
now i am unable to send request to Node .
it is giving me error, like
Cross-origin policy , load unsafe content
How to resolve this issue
Thanks
That's not a problem with PHP, rather with JavaScript (AJAX). It's because you're trying to load contents from a server that doesn't use SSL from a web page served via SSL.
Simply enable SSL also on the Node app and it will work.
Edit
I do not recommend creating a proxy server in Node.js.
It's actually a good idea to create a proxy server in front of every Node.js app. Indeed, for safety reasons most websites built with Node.js have a Nginx reverse-proxy in front. That is: users connect to Nginx (chosen over Apache for the much better performances) and Nginx makes a request to the Node.js app.
With this setup, you would actually not need to enable SSL in Node.js, as long as Nginx has SSL enabled.
To use SSL directly in Node.js, you need to add just a couple of lines to your app.js file. See this SO question: How do I setup a SSL certs for an express.js server?
If the servers are on the same hostname (just a different port), then you won't need another SSL certificate; if the servers are on a different hostname (e.g. a subdomain) and your SSL certificate isn't a wildcard one, then you will need another certificate.
Speaking about the port... It's true that HTTPS by default runs on 443, but you're free to change it as you want. Just remember to specify it, for example: https://example.com:8443/
A simple way to enable ssl on node is to use a proxy in front of your application:
var fs = require('fs');
var httpProxy = require('http-proxy');
var privateKey = fs.readFileSync('key.pem').toString();
var certificate = fs.readFileSync('cert.pem').toString();
var chainCertificate = fs.readFileSync('ca.pem').toString();
httpProxy.createServer({
target: {
host: 'localhost',
port: ...your application port...
},
ssl: {
key: privateKey,
cert: certificate,
ca: chainCertificate
}
}).listen(...the port for ssl...);
I have a few links in my page. When I open the page in http://, it works just fine (correctly goes to http://www.example.com/path/to/page. But when opened in https://, when I click on the link, it brings me to www.example.com:443/path/to/page instead, and it gives me a 400 error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
I'm sure my link targets are fine (I use relative paths). How can I tackle this issue?
Default port for HTTPS is 443, because of which all calls to HTTP will route to http:/XYZ:443/ by default. If you want to access the url via https, you'd need to enable/setup https in your webserver.
If you are using apache, try this link: http://docs.oracle.com/cd/A95431_01/install/ssl.htm
Have you got SSL certificate four your domain or localhost?
"You're speaking plain HTTP to an SSL-enabled server port." Try to change your SSL settings.
I have a load balanced dev site that I'm working out bugs for SSL on and I have ran into one last very annoying issue. On some pages I need to force it to SSL so easy enough, I just wanted to create a
header ("Location: https://www.example.com/mypage.php");
I thought that was easy enough and no worries. However, every time I do this it transforms it back to http. Well as you can figure it creates an endless loop that can't be resolved. I can't figure out how to keep that https in there so that it will pull the secure version of the page. If I navigate directly to the secure page with https it works just fine. The only issue is on this redirect.
Any help would be awesome! I'm using POUND as a load balance proxy. Apache on the web-server nodes. The SSL cert is setup at the Load Balancer.
When loadbalancing, 'internal' SSL usually goes out the door: Clients connect through a load-balancer with which you can do SSL encryption, but behind that in most loadbalancers I've seen is plain 'HTTP'. Try to get your loadbalancer to set a custom header to you indicating that there is a HTTPS connection between loadbalancer & client.
From http://www.apsis.ch/pound/index_html
WHAT POUND IS:
...
an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
And from more manual pages:
HTTP Listener
RewriteLocation 0|1|2
If 1 force Pound to change the Location: and Content-location:
headers in responses. If they point to the back-end itself or to
the listener (but with the wrong protocol) the response will be
changed to show the virtual host in the request. Default: 1
(active). If the value is set to 2 only the back-end address is
compared; this is useful for redirecting a request to an HTTPS
listener on the same server as the HTTP listener.
redirecting to https pages is no problem.
you can check for the port, scheme or server variable (probably server variable is the best) to see if https is on, and have it as a condition for redirecting
$_SERVER['SERVER_PORT'] == 443
parse_url($_SERVER['REQUEST_URI'],PHP_URL_SCHEME) == 'https'
$_SERVER['HTTPS'] == 'on'
but as you have an infinite loop there must be something else wrong!
try using the load blancer "balance" instead. it only takes about 5 minutes to set up, and instead of proxying, will do "real" load balancing. I would guess your proxy is currently redirecting https requests to the http address. Try making a request without using the balancer. you can do this by setting up the host name in your /etc/hosts file to point directly to a server instead of to the load balancer's IP
The problem that I am having has to do with the need to keep some urls of a website protected by HTTPS and the rest kicked to HTTP.
Normally, you have $_SERVER['HTTP_HTTPS'] or $_SERVER['HTTPS'] (depending on your flavor of Apache). You also can check the port - it's 80 for normal traffic and 443 for HTTPS.
My problem is that the certificate sits on the loadbalancer, and all these variables are unavailable, and the webserver sees http://www.foo.com on port 80. One way to fix this is to tell the loadbalancer to send the traffic on a different port, but I wonder if there are other ways to detect HTTPS coming from the load balancer?
If anybody has the same issue behind an Amazon AWS Elastic Load Balancer, the solution is simple because the $_SERVER variable will include:
[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https
So, to get the protocol, you could use:
function getRequestProtocol() {
if(!empty($_SERVER['HTTP_X_FORWARDED_PROTO']))
return $_SERVER['HTTP_X_FORWARDED_PROTO'];
else
return !empty($_SERVER['HTTPS']) ? "https" : "http";
}
If the load balancer is the other end of the SSL connection, you cannot get any more info than the load balancer explicitly provides. I would go for adding a http header, it may already be doing that, dump all the HTTP headers and look.
As another solution, you can do the redirection on the load balancer based on URL.
the $_SERVER['HTTP_X_FORWARDED_PROTO'] seems to be a good solution for joomla users because if your loadbalancer does the rediretion and you set the force_ssl setting to 1 or 2 then you will end in an infinite loop because joomla always sees http: