force_https with Cloudlfare Flexible SSL causes redirect loop

[slayer49]

Description

Setting hostname->force_https causes a redirect loop when using Cloudflare Flexible SSL. Cloudflare Flexible SSL works by proxying HTTPS requests using their certificate to HTTP request to the origin server.

---

Actual behavior

TenancyProvider prepends the HostnameActions middleware to the HTTP kernel, so it is run before TrustProxies.

Request->isSecure() returns false and creates a redirect loop.

Expected behavior

Setting force_https=1 should redirect without looping when using Cloudflare Flexible SSL or TrustProxies.

---

Information

• hyn/multi-tenant version: 5.3
• laravel version: 5.7.12
• database driver and version: MySQL 5.7
• webserver software and version: Ngix 1.15.0
• php version: 7.2.8

---

tenancy.php config

<?php

use Hyn\Tenancy\Database\Connection;

return [
    'models' => [
 'hostname' => \Hyn\Tenancy\Models\Hostname::class,
        'website' => \Hyn\Tenancy\Models\Website::class
    ],
'middleware' => [
        \Hyn\Tenancy\Middleware\EagerIdentification::class,
        \Hyn\Tenancy\Middleware\HostnameActions::class,
    ],
    'website' => [
        'disable-random-id' => false,
        'random-id-generator' => Hyn\Tenancy\Generators\Uuid\ShaGenerator::class,
        'uuid-limit-length-to-32' => env('LIMIT_UUID_LENGTH_32', true),
        'disk' => 's3',
        'auto-create-tenant-directory' => true,
        'auto-rename-tenant-directory' => true,
        'auto-delete-tenant-directory' => false,
        'cache' => 10,
    ],
    'hostname' => [
        'default' => env('TENANCY_DEFAULT_HOSTNAME'),
        'auto-identification' => env('TENANCY_AUTO_HOSTNAME_IDENTIFICATION', true),
        'early-identification' => env('TENANCY_EARLY_IDENTIFICATION', true),
        'abort-without-identified-hostname' => env('TENANCY_ABORT_WITHOUT_HOSTNAME', false),
        'cache' => 10,
        'update-app-url' => false,
    ],
    'db' => [
        'default' => env('TENANCY_DEFAULT_CONNECTION'),
        'system-connection-name' => env('TENANCY_SYSTEM_CONNECTION_NAME', Connection::DEFAULT_SYSTEM_NAME),
        'tenant-connection-name' => env('TENANCY_TENANT_CONNECTION_NAME', Connection::DEFAULT_TENANT_NAME),
 'tenant-division-mode' => env('TENANCY_DATABASE_DIVISION_MODE', 'database'),
        'password-generator' => Hyn\Tenancy\Generators\Database\DefaultPasswordGenerator::class,
        'tenant-migrations-path' => database_path('migrations/tenant'),
        'tenant-seed-class' => false,
        'auto-create-tenant-database' => true,
        'auto-create-tenant-database-user' => true,
        'auto-rename-tenant-database' => true,
        'auto-delete-tenant-database' => env('TENANCY_DATABASE_AUTO_DELETE', false),
        'auto-delete-tenant-database-user' => env('TENANCY_DATABASE_AUTO_DELETE_USER', false),
        'force-tenant-connection-of-models' => [
        ],
        'force-system-connection-of-models' => [
        ],
    ],

  
    'routes' => [
        'path' => base_path('routes/tenants.php'),
         'replace-global' => false,
    ],
 'folders' => [
        'config' => [
             'enabled' => true,
             'blacklist' => ['database', 'tenancy', 'webserver'],
        ],
        'routes' => [
               'enabled' => true,
                'prefix' => null,
        ],
        'trans' => [
                 'enabled' => true,
                  'override-global' => true,
                  'namespace' => 'tenant',
        ],
        'vendor' => [
            'enabled' => true,
        ],
        'media' => [
            'enabled' => true,
        ],
        'views' => [
            'enabled' => true,
            'namespace' => null,
            'override-global' => true,
        ]
    ]
];

Error log

[luceos]

If you're using CloudFlare there no longer is any reason for the underlying app to take care of an SSL upgrade, as CF takes care of that. You can safely ignore the force_https flag.

[slayer49]

That's true only if you are forcing SSL with Cloudfare, which I am not.

On Mon, Nov 19, 2018, 1:06 AM Daniël Klabbers <[email protected] wrote:

If you're using CloudFlare there no longer is any reason for the underlying app to take care of an SSL upgrade, as CF takes care of that. You can safely ignore the force_https flag.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hyn/multi-tenant/issues/669#issuecomment-439819769, or mute the thread https://github.com/notifications/unsubscribe-auth/AKCLtbO5DAOqp8muYS6eVPbbVUVuYfWIks5uwnSmgaJpZM4YhWNG .

[luceos]

Ah I now understand the root cause, thanks for clarifying.

[Tofandel]

Then you should set cloudflare to strict, this is an issue with cloudflare not there and happens with other services as well as we cannot know that you are using a secure connection with flex because client is connected to cloudflare via https but it proxies the request to your server in plain http.

So you indeed have 2 choices:

Enable full mode rather than flex (doesn't have to be strict, it will force cloudflare to proxy to your server using https without checking certificates, if you have valid certificates use strict mode)

Or use flex with force https and everything in your app should not use force https.