Does anyone have a solution on best practices to use the Asset class when serving pages over HTTPS? Currently, the class includes all assets unencrypted, which leaves browsers such as a Chrome blocking all style sheets and javascript files.
I don't have a hardcoded URL anywhere either. Was there a bug in earlier version of FuelPHP that prevented Asset from using the current URI? How can you check what version you are running?
Double checked my config.php file and here is the line:
You can check your version by echoing \Fuel::VERSION.
The asset url is defined in the config/asset.php config file. By default it's configured to use the base_url, and if the base_url isn't defined, it will be constructed from the current request.
Can you check what Input::protocol() returns on a https page?
In 1.5, fuel checks if $_SERVER['HTTPS'] exists, or if $_SERVER['SERVER_PORT'] is 443. And if so, it determines you're an a https connection. Otherwise, it will return 'http'.
What kind of server setup do you have? Are you behind some sort of reverse proxy that does port mapping or https to http conversion?
For others finding this thread in a search: it looks like Amazon uses a reverse proxy or load-balancing system that offloads the SSL, and connects to the backend webserver on http port 80. It does insert the standard X-FORWARDED-FOR entries, which correctly contain both 'https' and port 443.
Since v1.6.1, you can configure Fuel to use these keys, through the config key "security.allow_x_headers".
This is off by default, because these headers can be injected, so you only want to enable it when you are sure a known system will inject them.
Donate
