"final class" and CloudFlare proxification error
saippuakauppias opened this issue · 1 comments
If a site is proxied through ClaudFlare using the "Flexible" mode (Encrypts traffic between the browser and Cloudflare), we will always get the error: "Insecure use of middleware over HTTP denied by configuration.".
That's because you incorrectly define the use of the HTTPS protocol in the following lines: https://github.com/tuupola/slim-basic-auth/blob/3.2.1/src/HttpBasicAuthentication.php#L107-L111
When using proxying through cloud providers (CloudFlare), you should use the following code: https://gist.github.com/saippuakauppias/f1082a32f5797755b69b043d4852eda2
I tried to inherit your class and fix it to get around this limitation, but your class is declared as "final".
Why is that done?
PS: It is not possible to use the "Full" proxy mode in a CloudFlare, then you will need to set the slide certificate to nginx for each domain. This is a lot of manual work, which is difficult to automate (certificates are issued in the dashboard, most likely they can be issued through the API, but it's not such a task to spend a lot of time on integration with it).
Since Cloudflare is anyway accessing the API insecurely over http you could also just set.
$app->add(new Tuupola\Middleware\HttpBasicAuthentication([
"secure" => false
]));
There is practically no difference between this and trusting an arbitrary header.