PHP builtin server + SSL

Question

I know that PHP built-in server does not support SSL. Is it achievable anyway?

I tried to use Nginx proxy and proxy_pass all HTTPS requests to http://127.0.0.1:8080 but when I have a redirect from http://127.0.0.1:8080 to https://127.0.0.1:8080 it causes a redirection loop.

server {
    listen       443 ssl;
    server_name  127.0.0.1;

    ssl_certificate     /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
      proxy_pass          http://127.0.0.1:8080;
    }
}

How do you solve that issue?

Answer 1

Regarding your nginx try the following:

upstream local8080 {
  server 127.0.0.1:8080;
}
## HTTP CONFIG
server {
  listen 80;
  server_name 127.0.0.1;
  return 301 https://$host$request_uri;
}

## SSL SERVER
server {
  listen 443 ssl http2;
  server_name 127.0.0.1;
  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  # modern configuration. tweak to your needs.
  ssl_protocols TLSv1.2 TLSv1.1;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 127.0.0.1;

  ssl_certificate /etc/nginx/ssl/localhost.crt;
  ssl_certificate_key /etc/nginx/ssl/private/localhost.key;

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass https://local8080;
      root /usr/share/nginx/html;
  }
}

I use the above config in my local servers, so it should work. With that said, you need to ensure that SELinux is disabled, and FirewallD is allowing port 8080. By default, both will be enabled on a default Linux flavored install, so you must make changes.

You can place SSL certificates in any location, then point to them.

If you're trying to access from an external network, you'll need to allow port 8080 on your router.

If you need help with either SELinux or FirewallD, just let me know. I'll get you the code. If this is a local test environment, then just disable them until you get nginx running correctly.

Answer 2

Well part of the problem is the way you are using proxy pass, I think.

As far as I can tell you are only listening on port 443, so I don't even think it would accept a port 80 connection in order for the proxy pass to happen.

Secondly, I have never seen proxy pass used for redirecting http to https, but I am also not 100% seasoned at nginx or apache, but I would typically use proxy pass for reverse proxying we requests to subdomains and other directories to various IPs.

Does this post help at all? The answer has a configuration in it:

nginx force ssl http

Let me know what you find out, I might have time to test this a bit later, but if you are only listening on port 443 and have it set up to only accept ssl, then an http request would simply fail saying server not reachable.

If you do actually want to have them be able to hit http, but to be forced over to an SSL connection I do not know if proxy pass is the correct way to do that.

Edit:

https://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom

This looks correct