How to disable HTTPS or change to HTTP in dev and prod version on symfony?

Question

My problem is like in the title.

In my project i tried to add HTTPS to /login and /admin routes. Both routes are imported from third party bundles: login from FOSUserBundle and admin from EasyAdminBundle . To achieve that I added requires_channel: https to the security.yml file, like it was described in this thread https://symfony.com/doc/current/security/force_https.html .
My access_control section looked like:

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_ADMIN, requires_channel: https }

I started the site through built-in server to check if it will force https connection and it was. Obviously there was an error because symfony built-in server doesn't support ssl connections but in the address bar there was https:// . I uploaded this version to the server and I wanted to continue working on the next functionality, so I deleted the requires_channel entry but when I launch the page by typing php bin/console server:start 0.0.0.0:80 and typing in the browser address bar localhost/admin symphony still forces https. My next guess was to change requires_channel: https to requires_channel: http but that did not work either.
The same happens on the production server, ie HTTPS is still enforced when requires_channel is removed or set to HTTP, but there i can live with that because in the end i will have to generate certificate and launch ssl connection in apache config files, but I can't work on dev version.

I looked for similar issues but mostly if threads was about symfony and HTTP or HTTPS, people asks how to force HTTPS but this I already did. I can't find similar problem to mine so please if someone have any idea what goes wrong feel free to response or if anyone already solved my problem or very similar one please paste links.


Full content of security.yml file:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
            logout:       true
            anonymous:    true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: "%router.request_context.scheme%" }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN, requires_channel: "%router.request_context.scheme%" }

Answer 1

Finally I managed to find solution for my problem.

As I suspected there was some data in system and browser cache, although I was clearing symfony cache, there still was some forcing https:// on login and admin routes.

What I done is clearing all possible cache using BleachBit , and now it works as it should.

Thank you all, for your time.

Answer 2

With issues not changing in dev - clear the symfony cache.

As for selecting https://, or not, try using a "%parameter%", it certainly works in my routing.yml files - schemes: ["%httpProtocol%"] , set in parameters.yml.dist file - just be sure to set it on a live/production to 'https' `.

Answer 3

Extending Alister Bulman's Answer.

Rather use the 'router.request_context.scheme' param so that your whole symfony application has the correct scheme.

End result would be:

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: "%router.request_context.scheme%" }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_ADMIN, requires_channel: "%router.request_context.scheme%" }

Also add the schemes to your routes:

main:
    type: annotation
    schemes: "%router.request_context.scheme%"
    resource: '../src/Application/Controller/'

Answer 4

I had the same problem, putting at first requires_channel: https to the security.yml then removing it, when I connected back to http://localhost/app_dev.php/admin it still forces me with https and put me 403 error with a forbiddden access… even if I manually removed the "s". I made a php bin/console cache:clear , restarted XAMPP but still the same problem. But with another browser like Safari, http worked fine. The instruction for the URL was in fact stored in the Chrome browser cache because it has a TTL defined by Symfony. So just delete the browser cache.

Answer 5

For symfony 4.4: I've created a file .env.local.php and on my local machine I've added there:

return array('APP_CHANNEL' => 'http');

On my production server I have the same file but with 'https' instead. Of course this .env.local.php file is ignored by git.

Then in my security.yml file I've added:

access_control:
    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(APP_CHANNEL)%' }
    - { path: ^/portal, roles: ROLE_USER, requires_channel: '%env(APP_CHANNEL)%' }

I can now simply control if my dev/prod environment must use https or not. Redirection is done in .htaccess file which is also ignored by git, so it is not being sent to my production server. But I'm still learning, so there may be a better way of doing that. Cheers.