Cakephp2 https redirects on AWS ECS

Question

I have this old cakephp2 application that I'm deploying it to AWS ECS. However, it needs to redirect all the requests to https. I have updated the .htaccess as follows:

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{REQUEST_URI} !=/server-status
   RewriteBase /

   RewriteCond %{HTTP:X-Forwarded-Proto} !https
   RewriteRule !/status https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
   RewriteRule ^$ https://%{SERVER_NAME}/users/login [R,L]

   RewriteRule    ^$ app/webroot/    [L]
   RewriteRule    (.*) app/webroot/$1 [L]
</IfModule>

I would expect that all requests were being redirect to https but there is one that is still not being correctly redirected. From the login page, when clicking login, it should redirect the user to https://%{SERVER_NAME}/tests/users however when making requests to that url https://%{SERVER_NAME}/tests/users it keeps redirecting the request to (http) http://%{SERVER_NAME}/users/login. Any suggestions? Thanks.

Answer 1

The fact that you have:

RewriteCond %{HTTP:X-Forwarded-Proto} !https

in one of your rewrite conditions suggests you might be using an ELB (or similar) to terminate SSL and forward requests to your web servers unencrypted.

CakePHP 2 relies on the HTTPS variable being set by the web server to indicate that the request was encrypted (check env function in lib/Cake/basics.php or search 'HTTPS' in lib/Cake/bootstrap.php). You can use SetEnvIf to add the variable based on the X-Forwarded-Proto header:

SetEnvIf X-Forwarded-Proto "https" HTTPS=on