Laravel 8.x Signed URL within Azure App Service (PHP 8.0.27 + Nginx)

Question

Locally, I have created a docker container than attempts to mimic the SSL termination process inside Azure by utilising self signed certificates via Traefik but I still cannot reproduce the issue I am facing.

Inside of Laravel, there is the ability to create a temporary signed URL (https://laravel.com/docs/10.x/urls#signed-urls). This utilises the enviornmental variables configured inside the app service, specifically the APP_URL. I have set this to the correct domain.

When I attempt to verify the signed route using the hasValidSignature method on the Request object, I recieve false. Locally, this is working fine. My assumption is that the load balancing inside of Azure through Nginx and into the PHP-FPM instance is loosing the request values set by the X-Forwarded-* headers.

Inside of my NGINX configuration, I do the following with PHP-FPM:

location ~ [^/]\.php(/|$) {
    # Custom Azure configuration to support laravel
    fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
    fastcgi_pass 127.0.0.1:9000;
    include fastcgi_params;
    fastcgi_param HTTP_PROXY "";
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_intercept_errors on;

    # Azure pre-defined
    fastcgi_connect_timeout         300;
    fastcgi_send_timeout           3600;
    fastcgi_read_timeout           3600;

    # Buffers
    fastcgi_busy_buffers_size 512k;
    fastcgi_buffer_size 512k;
    fastcgi_buffers 16 512k;
    fastcgi_temp_file_write_size 512k;

    # Server hardening
    fastcgi_hide_header "x-powered-by";
}

How can I ensure that the request information is correctly carried through into PHP? Do I need to configure X-Forwarded-* headers? Do I need to specify any additional fastcgi_params to ensure the correct values are set in PHP?

Raised against this is a Stackoverflow question (https://stackoverflow.com/questions/75535841/laravel-8-x-signed-url-within-azure-app-service-php-8-0-27-nginx) that has a more detailed indepth example in the PHP side and debug side.

Any help appreciated .

Answer 1

Hi @Kyle Jeynes

we are sorry to hear you were facing this issue. Based on your Stack overflow post it looks like you were able to resolve your issue by using the correct syntax locally in your NGINX configuration. Sharing your solution here so it helps others who might come across this same issue.

"Ok the issue I had was that locally, this didn't technically work.

In my NGINX configuration, I force a XDEBUG_SESSION_START header in the requests to enable local debug from the mobile application etc.

This lead to me using the WRONG syntax locally, I was missing the ! operator:

if (!$request->hasValidSignature()) {
    abort(401);
}

This lead to Azure working but not my local so I instead wrote this function to ignore additional params for local dev:

private function hasValidSignature(): bool
{
    $url = rtrim(request()->url() . '?' . Arr::query(Arr::except(request()->query(), ['signature', 'XDEBUG_SESSION_START'])), '?');
    $signature = hash_hmac('sha256', $url, app()->make('config')->get('app.key'));

    return hash_equals($signature, (string) request()->query('signature')) && !(now()->getTimestamp() > (string) request()->query('expires'));
}

Source: https://stackoverflow.com/questions/75535841/laravel-8-x-signed-url-within-azure-app-service-php-8-0-27-nginx

Thanks again for sharing the solution that worked for you.

-Grace