Https not working with Slim


#1

I have recently setup my EC2 LAMP server with SSL which works fine with Slim. I can securely log in to phpMyAdmin and see my data just fine too. However I get 504 gateway time out error on my routes that connect to mysql. My routes work fine when the same index.php file is on my local XAMPP server (which is not SSL enabled). So it appears to me that the https protocol is not yet working on LAMP server. Looking around I have seen things about modifying my .htaccess file to rewrite for https:

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.php [L]`

but this has not made any difference and I have no idea why. Middleware has also come up too, to redirect http to https and this seems like a good option, but I have no idea where to begin with it.


#2

I think you can use cloud flare to redirect your http request into https


#3

Hi and thanks. Sorry I have no idea about how to do it. where exactly do I start? Thanks


#4

Do not waste that energy, kindly drop this javascript to enforce https in your app.

<script>
     if (location.protocol != 'https:')
     {
     location.href = 'https:' + window.location.href.substring(window.location.protocol.length);
     }

</script>

#5

OK @LeeH, I don’t think that either of these solutions are right for you. You said that the SSL was working fine but on routes where you’re connecting to MySQL you have a problem? That points towards the MySQL configuration, not SSL.

If this were a dev environment issue I’d be stepping through with XDebug to see where it’s failing, but this is a production environment (presumably) so that’s out. The alternative is to turn up your debug/error-reporting level and ensure that you’re logging lots of detail. I would definitely recommend that you try this out. Check your PHP error logs as well. Check the PHP config if you’re not sure where to find them. They’re often in /var/log IIRC, though this can be configured in your php.ini and viewed with a phpinfo() output

As an aside, I’d still ike to drop some points in about why the other suggestions may be bad for anyone who is considering adding SSL to their apps, however:

Firstly, Cloudflare.

As a general rule, don’t use Cloudflare for SSL. The SSL terminates at their platform and the rest of way is unsecured. If you’re carrying any sensitive data then this should be immediately ruled out. It wouldn’t be so bad if they were in the same datacentre, but they’re not. If you’re just doing SSL for SEO then it probably doesn’t matter, but if you’re handling PII or credit card data then don’t use Cloudflare under any circumstances.

A Javascript solution is no good, either. JS doesn’t always work for a start. You’ve also already sent a load of unsecured data and the JS could’ve been hijacked in transit. Do not do this. Ever.

There are some AWS related caveats with SSL that catch people out occassionally:

First off, are you using an Elastic Load Balancer? If so then they do something similar to Cloudflare and the SSL usually terminates at the LB. The web server on your instance can’t tell that you’re using HTTPS in the usual way. This is a better solution than Cloudflare because the ELB is in the same datacentre and if you’re using the Virtual Private Cloud then your data should be fairly safe in transit around their platform. It is NOT as secure as having the certificate installed directly on your server, but it’s almost as good.

Secondly, Cloudflare is a CDN, and AWS has one of those, too. It’s called Cloudfront, and if you don’t want to use an Elastic Load Balancer then you can simply put a Cloudfront distribution in front of your EC2 instance and have a free Amazon Certificate Manager SSL certificate applied to the distribution. This has the added benefit of providing edge locations around the world that will cache assets on your site and speed up access for your users. We’ve used it on many of our sites and have had sites that Alexa ranks in the top 10% of the fastest sites in the world, despite heavy use of graphics


#6

Hi, use this .htacces in your project

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteCond %{HTTP:X-Forwarded-Port} =80
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]