HTTP_X_FORWARDED_PROTO

[fabswt]

Hi,

Getting this error message over an HTTPS connection for a server hosted on Heroku:

Insecure use of middleware over HTTP denied by configuration.
File: /app/vendor/tuupola/slim-basic-auth/src/HttpBasicAuthentication.php
Line: 148

FYI, in local development (over HTTPS, with a self-encrypted certificate), I get these key/pairs in $_SERVER:

[HTTPS] => on
[SERVER_PORT] => 443

Whereas on Heroku there's no such line, but, instead:

[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https

This is typical for hosting behind a proxy or load balance. See X-Forwarded-Proto.

Here's the workaround I'm using:

if (
    isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
    && isset($_SERVER['HTTP_X_FORWARDED_PORT'])
) {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = $_SERVER['HTTP_X_FORWARDED_PORT'];
        // Typically, `443`.
}

I guess tuupola/slim-basic-auth could check for these values as well when trying to determine if a connection is secure.

[tuupola]

A HTTP connection does not become secure by setting X-Forwarded-Proto header. It is still an unencrypted connection. If you are using proxy or load balancer you can set the secure config parameter to false to get rid of the error.

Another option would be to use an additional middleware which sets the request method in the request object according to X-Forwarded-Proto (if you trust the header of course).