From 548ae7ad22a5c1db703edfd9dcce9bce87e3fd2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Rodr=C3=ADguez=20Guimer=C3=A1ns?= Date: Mon, 27 Feb 2023 21:32:47 +0100 Subject: [PATCH] Add Reverse Proxy support to Pre-Flight URL check Before this change, the Pre-Flight URL check would inevitably fail whenever Snipe-IT was running behind a reverse proxy or load balancer. The URL check tries to ensure that the configured application URL matches the URL that is actually used to reach the application. However, when running behind an HTTP intermediary (like a reverse proxy or a load balancer) the HTTP connection that Snipe-IT receives is not the _real_ connection from the user anymore, but a connection from the HTTP intermediary. The scheme, host and port that Snipe-IT would obtain from that incoming intermediary connection wouldn't match what is configured as application URL and, therefore, the URL check would fail. This commit solves the situation by making Snipe-IT's Pre-Flight URL check aware of the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. These headers represent the _de-facto_ standard used by reverse proxies and other HTTP intermediary components to convey information about the incoming HTTP connection to the upstream application. Being the upstream application, Snipe-IT can then make use of this information to correctly evaluate the validity of the configured application URL. --- app/Http/Controllers/SettingsController.php | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php index 549818756..a8212d135 100755 --- a/app/Http/Controllers/SettingsController.php +++ b/app/Http/Controllers/SettingsController.php @@ -65,12 +65,22 @@ class SettingsController extends Controller $start_settings['db_error'] = $e->getMessage(); } - $protocol = array_key_exists('HTTPS', $_SERVER) && ('on' == $_SERVER['HTTPS']) ? 'https://' : 'http://'; + if (array_key_exists("HTTP_X_FORWARDED_PROTO", $_SERVER)) { + $protocol = $_SERVER["HTTP_X_FORWARDED_PROTO"] . "://"; + } elseif (array_key_exists('HTTPS', $_SERVER) && ('on' == $_SERVER['HTTPS'])) { + $protocol = "https://"; + } else { + $protocol = "http://"; + } - $host = array_key_exists('SERVER_NAME', $_SERVER) ? $_SERVER['SERVER_NAME'] : null; - $port = array_key_exists('SERVER_PORT', $_SERVER) ? $_SERVER['SERVER_PORT'] : null; - if (('http://' === $protocol && '80' != $port) || ('https://' === $protocol && '443' != $port)) { - $host .= ':'.$port; + if (array_key_exists("HTTP_X_FORWARDED_HOST", $_SERVER)) { + $host = $_SERVER["HTTP_X_FORWARDED_HOST"]; + } else { + $host = array_key_exists('SERVER_NAME', $_SERVER) ? $_SERVER['SERVER_NAME'] : null; + $port = array_key_exists('SERVER_PORT', $_SERVER) ? $_SERVER['SERVER_PORT'] : null; + if (('http://' === $protocol && '80' != $port) || ('https://' === $protocol && '443' != $port)) { + $host .= ':'.$port; + } } $pageURL = $protocol.$host.$_SERVER['REQUEST_URI'];