Symfony Security Forces HTTPS Despite requires_channel http

Question

I'm working on configuring a new symfony install for security, but my login form won't behave. Whenever i'm redirected to the login page, symfony redirects to https and adds :80 to the domain.

Here's my security.yml

# app/config/security.yml
security:
    firewalls:
        login:
            pattern: ^/login
            anonymous: true
        main:
            pattern:    ^/
            anonymous:  false
            form_login:
                login_path: /login
                check_path: /login_check
            logout:
                path:   /logout
                target: /home

    access_control:
        - { path: ^/login$,    roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: http  }
        - { path: ^/secure, roles: IS_AUTHENTICATED_FULLY }
        - { path: ^/secure/max, roles: ROLE_ADMIN }

    providers:
        in_memory:
            memory:
                users:
                    ryan:  { password: ryanpass, roles: 'ROLE_USER' }
                    admin: { password: kitten, roles: 'ROLE_ADMIN' }

    encoders:
        Symfony\Component\Security\Core\User\User: plaintext

The Routing file for my login path controller:

login:
    pattern: /login
    defaults: { _controller: RGCoreBundle:Default:login }

login_check:
    pattern: /login_check

When I visit the home page, i'm redirected to:

https://myserver.com:80/login

...which obviously doesnt work because I dont have SSL configured...

I've tried changing the login route's path and it will update to point at the new path, so it's definately reading the config file...

Where else should I look? This is a fresh install and I wiped out the ACME bundle already.

Update:

I'm diving my way through the Kernel with the debugger and print statements.

So far i can determine it's doing this because, when authentication fails (as it should), a redirect response is generated for "login_path". The call to generateUri calls the original Request objects 'geturi" function.

Tracing this, the cause so far is that the Request object's ServerBag has HTTPS => on.

I haven't figured out where that get's set though.

Answer 1

(For nginx) While the existing answer indicates that you could comment out fascgi_param HTTPS on; However, for some configurations they need that designation. A better solution is to have it on when the url is https and turn it off when it isn't.

Luckly, in the nginx config files, $https is set to "on" if its a secure port, and "off" if it isn't. So this should work:

fascgi_param HTTPS $https;

If you are using an old version of nginx (pre 1.1.11), $https isn't defined, so you can do so manually in your config file.

if ($server_port = 443) { set $https on; }
if ($server_port = 80) { set $https off; }

Answer 2

Based on your security file it doesnt appear to be a symfony issue. Likely there is some configuration with your web server that is redirecting to https and to port 80. If you cant find that i would do a file text search in your project for "80" and see if there is anything redirecting you to that port and likely the https will be in the same spot