"Force Secure URLs" setting sometimes does not behave as expected, deprecate it ... Slowly :)
Various issues have reported over time that the SSL enforcement doesn't work as expected.
- CRM_Core_Invoke::runItem() calls CRM_Utils_System::redirectToSSL()
- CRM_Utils_System::redirectToSSL() uses CRM_Utils_System::isSSL()
- The setting is named "enableSSL" but it kind of works like "enforce SSL" (you can enable SSL and have it set to false, and if it's true then it will try to enforce SSL)
For some hosting environments, this (in particular the method of detecting whether a request is SSL or not) leads to confusing behaviour where a site will reject attempts to visit particular pages (
civicrm/admin/* but not
civicrm/*?), and show "access denied" in Drupal logs, and serve circular 302 redirects.
What we have apparently may not work if you are behind an SSL terminator, and probably for other setups which aren't accounted for.
Previous issues / PRs / work on that setting:
GH#9452 (see here for me going
🤷 😠about how we verify SSL)
- CRM-11160, GH#1098
My opinion is that it's tricky to work out in CiviCRM whether the request is being served via SSL or not and that this is best resolved at the most user-facing layer - it can be tricky to resolve in Drupal too if you're behind haproxy+varnish etc, and for @alexymik it seemed to be raising issues under Docker (1, 2).
@xurizaemon thinks you should ensure CiviCRM is SSL'dHow
- Enforce SSL at the client-facing proxy, if you have one. Terminating SSL here is fine.
- If clients talk directly to nginx / apache / what have you, try to enforce SSL here as part of canonical URL config.
- .htaccess is next best after webserver config if you're using a server that supports it. Fine for small sites.
- If you can't do that, enforce SSL in the CMS using a module like Drupal's Securepages.
- Last resort should be CiviCRM, but we should really encourage people to do any of the above (in that order).
- Since you aren't any more relying on CiviCRM to enforce SSL, you can now set "enableSSL" to NO as it's a poorly named setting which may have unfortunate side-effects. Visit CiviCRM > Settings > Resource URLs and set " Force Secure URLs (SSL)" to "No".
So - I get that people are using this setting, I don't want to break things for them (that'll reduce security), but I did want to write up my reasoning behind why we should not encourage relying on that setting.
I propose we start defaulting it to off and aim to hide / deprecate / remove the config over time.
As a first step, I'm going to PR a log message that would have saved @alexymik a few hours of painful debugging today