October: CloudFlare Flexible HTTPS with backendForceSecure

Created on 10 Dec 2019 · 6Comments · Source: octobercms/october

Hi,
not sure is it a bug, looks like.
I installed ssl, frontend is working properly.
When I edit config/cms.php:
'backendForceSecure' => null,
and change to:
'backendForceSecure' => true,
I got error as not properly redirect.

Now, when I edit modules/backend/classes/Controller.php

protected function verifyForceSecure()
    {
        if (Request::secure() || Request::ajax()) {
            return true;
        }

        // @todo if year >= 2018 change default from false to null
        $forceSecure = Config::get('cms.backendForceSecure', false);
        if ($forceSecure === null) {
            $forceSecure = !Config::get('app.debug', false);
        }

        return !$forceSecure;
    }

and change return !$forceSecure; to return $forceSecure;
https on backend is working properly.

PHP version is 7.2 or 7.3, current build of OctoberCMS: 458

All the best,

Question

Source

franko108

Most helpful comment

@ayumi-cloud Hi, thanks, this seems to be helpful.
I've changed SSL setting on CloudFlare to "Full (strict)" and changed back in _modules/backend/classes/Controller.php_ within verifyForceSecure method to original value:
return !$forceSecure;
Also, in _config/cms.php:
'backendForceSecure' => true,

Thanks to everyone for the help, apparently this was the problem.
Web is on VPS and I have several SSL, some with let's encrypt and everyting is working properly, now is working this combination OctoberCMS+CF as well, both frontend and backend.
All the best to everyone!

franko108 on 11 Dec 2019

👍2

All 6 comments

@franko108 are you using CloudFlare Flexible SSL?

LukeTowers on 10 Dec 2019

@franko108 are you using CloudFlare Flexible SSL?

@LukeTowers , yes, that's correct, CloudFlare Flexible SSL is installed and it is proxied by CloudFlare.

franko108 on 10 Dec 2019

@franko108 try installing the CloudFlare plugin: https://octobercms.com/plugin/heathdutton-cloudflare. The way CloudFlare Flexible SSL works is that requests from the browser to CF are HTTPS but requests from CF to the server are HTTP. Since the server only sees the requests from CF to itself it tells CF to redirect to the HTTPS site, which CF then passes onto the browser, but then that just creates an infinite redirect loop.

That plugin should fix the issue. @heathdutton can you confirm this is likely the case?

LukeTowers on 10 Dec 2019

I would also recommend if your server is properly setup to respond to HTTPS connections (i.e. it has a certificate generated and HTTPS works properly without CF being in front of it) to change your CF SSL settings to be Full

LukeTowers on 10 Dec 2019

Can I add a comment please, a while ago I spoke to the Cloudflare team with some issues with setting up HTTPS with October in Cloudflare.

They told me that using CloudFlare Flexible is bad and not recommend as it "Leaks HTTP" so sometimes I was seeing HTTP connections. Because of this, setting some config settings in October gave me issues! Because I wasn't really getting HTTPS 100% of the time!

They told me to set and recommend using: "Full (strict)" setting (which stops leaking HTTP connections).

However, if your website doesn't work with this setting, then you have an issue with your certificate, we had this issue and when we correctly config'ed the cert, the "Full (strict)" setting worked fine.

Then we could set secure settings in the config in October.

Please note you should also setup your cert in Cpanel under the SSL/TLS Manager section. Add your Private Keys (KEY) and Certificates (CRT). This is important to make sure the "Full (strict)" setting in Cloudflare works.

Hope that helps.