Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Assets over HTTPS
  • Does anyone have a solution on best practices to use the Asset class when serving pages over HTTPS? Currently, the class includes all assets unencrypted, which leaves browsers such as a Chrome blocking all style sheets and javascript files.  

  • Asset uses the current URI to serve the assets, unless you've defined a hardcoded URL somewhere.

    If you need to construct a hardcoded URL, you can use Input::protocol(), which will return "http" or "https", depending on the current page.
  • I don't have a hardcoded URL anywhere either. Was there a bug in earlier version of FuelPHP that prevented Asset from using the current URI? How can you check what version you are running? 

    Double checked my config.php file and here is the line:

    'base_url'  => null,

  • You can check your version by echoing \Fuel::VERSION.

    The asset url is defined in the config/asset.php config file. By default it's configured to use the base_url, and if the base_url isn't defined, it will be constructed from the current request.

    Can you check what Input::protocol() returns on a https page?
  • Version is 1.5

    Put up a test page here. Looks like we've found the problem...

  • In 1.5, fuel checks if $_SERVER['HTTPS'] exists, or if $_SERVER['SERVER_PORT'] is 443. And if so, it determines you're an a https connection. Otherwise, it will return 'http'.

    What kind of server setup do you have? Are you behind some sort of reverse proxy that does port mapping or https to http conversion?

    I assume

    echo \Config::get('base_url');

    will return http://mobials.com/test/https ?
  • My server is running on AWS ElasticBeanstalk. Standard setup.

    Secure Port: 443
    64bit Amazon Linux running PHP 5.4

    I can provide more information if you need it. 

    Updated link to also show \Config::get('base_url');
  • at least it's consistent. ;-)

    Can you dump $_SERVER? You can sent it to me via PM here or via email "wanwizard<at>fuelphp.com" so I can check where it goes wrong?

    It should at least be able to pick up port 443...
  • Thanks. I've sent you an email with the information. 
  • HarroHarro
    Accepted Answer
    And you've got a reply.

    For others finding this thread in a search: it looks like Amazon uses a reverse proxy or load-balancing system that offloads the SSL, and connects to the backend webserver on http port 80. It does insert the standard X-FORWARDED-FOR entries, which correctly contain both 'https' and port 443.

    Since v1.6.1, you can configure Fuel to use these keys, through the config key "security.allow_x_headers".

    This is off by default, because these headers can be injected, so you only want to enable it when you are sure a known system will inject them.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion