XF 2.2 xf2 behind cloudfront, board canonicalization

[mazdas247]

I'm running xf2 latest behind aws, cloudfront, which offloads SSL and does caching, etc etc. With board canonicalization on, it seems xf2 ignores that "CloudFront-Forwarded-Proto" is https and considers the client is on the wrong proto, so it 301 redirects to SSL. Even though the client is already on SSL. Ran tcpdump, the CloudFront-Forwarded-Proto header is definitely there and is delivered to httpd.

Just wondering if this is normal. Worst case I'll just use https origin, but that's just consuming more CPU for kinda nothing.

 

[Jake B.]

if (isset($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO']) && $_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

or something along those lines in src/config.php should sort it it

Doing

if (isset($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO'])) {
    $_SERVER['HTTP_X_FORWARDED_PROTO'] = $_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO'];
}

may work as well as I believe XenForo does check the X-Forwarded-Proto header. If you can get Cloudfront to send a value with that header, it'll be even better

Edit: Confirmed it does check X-Forwarded-Proto here:

public function isSecure()
{
   return (
      $this->getServer('REQUEST_SCHEME') === 'https'
      || $this->getServer('HTTP_X_FORWARDED_PROTO') === 'https'
      || $this->getServer('HTTPS') === 'on'
      || $this->getServer('SERVER_PORT') == 443
   );
}

 

[mazdas247]

Thanks, this is exactly what I was looking for.