CODEWITHSUNDEEP
php
user1854344
user1854344

Reputation: 321

PHP builtin server + SSL

I know that PHP built-in server does not support SSL. Is it achievable anyway?

I tried to use Nginx proxy and proxy_pass all HTTPS requests to http://127.0.0.1:8080 but when I have a redirect from http://127.0.0.1:8080 to https://127.0.0.1:8080 it causes a redirection loop.

server {
    listen       443 ssl;
    server_name  127.0.0.1;

    ssl_certificate     /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
      proxy_pass          http://127.0.0.1:8080;
    }
}

How do you solve that issue?

Upvotes: 6

Views: 7684

Answers (3)

CodeMilitant
CodeMilitant

Reputation: 140

Regarding your nginx try the following:

upstream local8080 {
  server 127.0.0.1:8080;
}
## HTTP CONFIG
server {
  listen 80;
  server_name 127.0.0.1;
  return 301 https://$host$request_uri;
}

## SSL SERVER
server {
  listen 443 ssl http2;
  server_name 127.0.0.1;
  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  # modern configuration. tweak to your needs.
  ssl_protocols TLSv1.2 TLSv1.1;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 127.0.0.1;

  ssl_certificate /etc/nginx/ssl/localhost.crt;
  ssl_certificate_key /etc/nginx/ssl/private/localhost.key;

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass https://local8080;
      root /usr/share/nginx/html;
  }
}

I use the above config in my local servers, so it should work. With that said, you need to ensure that SELinux is disabled, and FirewallD is allowing port 8080. By default, both will be enabled on a default Linux flavored install, so you must make changes.

You can place SSL certificates in any location, then point to them.

If you're trying to access from an external network, you'll need to allow port 8080 on your router.

If you need help with either SELinux or FirewallD, just let me know. I'll get you the code. If this is a local test environment, then just disable them until you get nginx running correctly.

Upvotes: 2

Shmygol
Shmygol

Reputation: 933

Proxy doesn't help you much, because Symfony doesn't know a protocol and still try to redirect to https.

Try this configuration

server {


    listen       443 ssl;
    server_name  127.0.0.1;

    ssl_certificate     /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        proxy_pass          http://127.0.0.1:8080;
        proxy_redirect      http://localhost:8080 https://127.0.0.1;

        proxy_set_header    Host $host;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
    }
}

Upvotes: 1

wahyzcrak
wahyzcrak

Reputation: 114

Well part of the problem is the way you are using proxy pass, I think.

As far as I can tell you are only listening on port 443, so I don't even think it would accept a port 80 connection in order for the proxy pass to happen.

Secondly, I have never seen proxy pass used for redirecting http to https, but I am also not 100% seasoned at nginx or apache, but I would typically use proxy pass for reverse proxying we requests to subdomains and other directories to various IPs.

Does this post help at all? The answer has a configuration in it:

nginx force ssl http

Let me know what you find out, I might have time to test this a bit later, but if you are only listening on port 443 and have it set up to only accept ssl, then an http request would simply fail saying server not reachable.

If you do actually want to have them be able to hit http, but to be forced over to an SSL connection I do not know if proxy pass is the correct way to do that.

Edit:

https://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom

This looks correct

Upvotes: 1

Related Questions