Forcing HTTPS in Symfony PHP causes redirect loop behind AWS load balancer

Question

I am trying to force HTTPS in my Symfony PHP application. The docs on this topic seem pretty straight-forward:

# config/routes.yaml
secure:
    path:       /secure
    controller: App\Controller\MainController::secure
    schemes:    [https]

Basically just add schemes: [https] to the route.

But when I do this in my application and deploy (to an AWS EC2 instance using a load balancer) it appears to create a redirect loop.

What might be the issue here?

Answer 1

The docs say:

Forcing HTTPS while using a reverse proxy or load balancer requires a proper configuration to avoid infinite redirect loop

Which in turn takes you here. Since you can't know the IP address of your load balancer (because AWS), the docs say:

Some reverse proxies (like AWS Elastic Load Balancing) don't have a static IP address or even a range that you can target with the CIDR notation. In this case, you'll need to - very carefully - trust all proxies.

1. Configure your web server(s) to not respond to traffic from any clients other than your load balancers. For AWS, this can be done with security groups.

2. Once you've guaranteed that traffic will only come from your trusted reverse proxies, configure Symfony to always trust incoming request:

// public/index.php

// ...
Request::setTrustedProxies(
   // trust *all* requests
   ['127.0.0.1', $request->server->get('REMOTE_ADDR')],>

   // if you're using ELB, otherwise use a constant from above
   Request::HEADER_X_FORWARDED_AWS_ELB
);

If you follow this steps, and everything else is configured correctly, you should be good to go.