File upload over https fails signature verification #3084
Replies: 51 comments 28 replies
-
I have the same problem! |
Beta Was this translation helpful? Give feedback.
-
No, at the moment I've commented that line out, but that's not a solution at all... |
Beta Was this translation helpful? Give feedback.
-
This is because the traffic is proxied. You can set the trusted proxy in the The simplest way is to trust all proxies if you don't know them: protected $proxies = '*'; If you're behind Cloudflare or some kind of load balancer this also applies. |
Beta Was this translation helpful? Give feedback.
-
@dennisvandalen Thanks! It works! |
Beta Was this translation helpful? Give feedback.
-
In my case, the upload was working, but the Adjusting the trusted proxies didn't work, but commenting out:
in Not ideal, but wanted to add this in case anyone else is having issues with the |
Beta Was this translation helpful? Give feedback.
-
@alexpgates thanks for this, this whole issue cropped up for us when we were behind a load balancer and forcing https, just can't seem to get a valid signature under those circumstances. Ended up commenting out the above code in the vendor directory as @alexpgates mentioned, but also on FileUploadHandler which has a similar check. |
Beta Was this translation helpful? Give feedback.
-
It also fails with the 401 if the upload takes more than 5 minutes. Maybe this could be configurable? Currently it's hard coded in forLocal:
forS3:
|
Beta Was this translation helpful? Give feedback.
-
Same problem using cloudflare for ssl |
Beta Was this translation helpful? Give feedback.
-
Hi, In my case the same route but the issues is about request the url in http over https. I receve the message: This request has been blocked; the content must be served over HTTPS. |
Beta Was this translation helpful? Give feedback.
-
I am running my app in Docker, behind an apache proxy. I have tried this but it doesn't work for me. @calebporzio please shed some light on this issue. Thanks. UPDATE: The error for me only occurs when I am proxying the app and running it on a sub-directory. For apps running on the root of the domain there is no issue. |
Beta Was this translation helpful? Give feedback.
-
👋 Oh Hi! I'm Squishy, the friendly jellyfish that manages Livewire issues. I see this issue has been closed. Here in the Livewire repo, we have an "issues can be closed guilt-free and without explanation" policy. If for ANY reason you think this issue hasn't been resolved, PLEASE feel empowered to re-open it. Re-opening actually helps us track which issues are a priority. Reply "REOPEN" to this comment and we'll happily re-open it for you! (More info on this philosophy here: https://twitter.com/calebporzio/status/1321864801295978497) |
Beta Was this translation helpful? Give feedback.
-
@coolsam726 I'm having the exact same scenario: docker, behind reverse proxy, and using a subdomain any chance that you solved it further, and still didn't post more updates here?? |
Beta Was this translation helpful? Give feedback.
-
so i can confirm, "solution" here https://forum.laravel-livewire.com/t/file-upload-over-https-fails-signature-verification/1242 TLDR = comment out |
Beta Was this translation helpful? Give feedback.
-
Thank you @danilogiacomi ! Sorry that just now realised you must be Dan from the livewire forum, so it was you opening the issue originally! |
Beta Was this translation helpful? Give feedback.
-
Just to ping somehow setting TrustProxies with the following doesn't work for me, it resulted with route generated with a
Or I might be missing something here. |
Beta Was this translation helpful? Give feedback.
-
I faced the file upload signature verification problem when uploading user avatars via Livewire component in Laravel. The preview images of freshly uploaded files were not displayed by the Setting Earlier I added the following lines to the Nginx site configuration of the Forge service to improve browser caching of static assets:
Removing all image extensions from this setting fixed the problem. So, the final working setting is the following:
Now preview images of uploaded files are displayed correctly. As for caching of images, I moved all of them to the separate CDN server. |
Beta Was this translation helpful? Give feedback.
-
I may have spotted the cause for my situation. Nginx as reverse proxy to apache. Passing scheme header as X-Forwarded-Proto in Nginx EVEN if you use \URL::forceScheme( request()->header('X-Forwarded-Proto', 'https') ); or similar in your AppServiceProvers boot, the requsests url will still technically be http, by that I mean calling request()->url(), which is how hasValidSignature is verified. My trusted proxy and proto seems to be configured correctly. This is how the symphony works to create url with https or not. I know that my proto header is working, but sympony may be getting a variation of it like looking for 'X_FORWARDED_PROTO' when it should be 'HTTP_X_FORWARDED_PROTO' public function isSecure()
{
if ($this->isFromTrustedProxy() && $proto = $this->getTrustedValues(self::HEADER_X_FORWARDED_PROTO)) {
return \in_array(strtolower($proto[0]), ['https', 'on', 'ssl', '1'], true);
}
$https = $this->server->get('HTTPS');
return !empty($https) && 'off' !== strtolower($https);
} Anyway. What fixed it for me was adding this code alongside the normal 'forceScheme' request()->server->set('HTTPS', request()->header('X-Forwarded-Proto', 'https') == 'https' ? 'on' : 'off'); As can be seen in the isSecure() function, if the first part fails it looks to see if HTTPS is anything (except off) |
Beta Was this translation helpful? Give feedback.
-
Apparently the trusted proxies answer did not work.
This will upgrade any request that is sent over http to https instead, note by default most browsers to this automatically if the page being viewed is served over https but sometimes it would overlook other requests over http and simple do nothing, just like livewire upload. In this case we tell the browser to upgrade-insecure-requests all request instead. sources: |
Beta Was this translation helpful? Give feedback.
-
I fixed this with this middleware, in my case the querystring contained the path and because of that, the signature didn't match. So I intervened with a middleware to fix the querystring:
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Str;
class QueryStringFixer
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
if (isset($_SERVER['QUERY_STRING']) && Str::startsWith($_SERVER['QUERY_STRING'], "/")) {
$parts = explode('&', htmlspecialchars_decode($_SERVER["QUERY_STRING"]));
array_shift($parts);
$new = [];
foreach ($parts as $v) {
$x = explode('=', $v);
$key = array_shift($x);
$value = implode('=', $x);
$new[$key] = $value;
}
$_SERVER['QUERY_STRING'] = http_build_query($new);
$request->server->set("QUERY_STRING", $_SERVER['QUERY_STRING']);
}
return $next($request);
}
}
\App\Http\Middleware\QueryStringFixer::class, This will fix the |
Beta Was this translation helpful? Give feedback.
-
We had the same issue with Linux web server on nginx behind nginx based reverse proxy and load balancer. Https traffic is terminated on LB so when forwarded to web server it is already http. And as described by [corbinjurgens] Laravel/Symphony determines if request isSecure() by checking x-forwarded-proto header. Knowing this we were able to fix issue by setting x-forwarded-proto header to “https” on reverse proxy when it proxys requests to web server. In that case Laravel treats request as secure. I believe such solution is more elegant (and independent of Laravel/Livewire code) in comparison to disabling isSecure() check in FileUploadHandler or by adding additional middleware inside application. |
Beta Was this translation helpful? Give feedback.
-
My problem was https://laravel.com/docs/9.x/octane#serving-your-application-via-https (I forgot set |
Beta Was this translation helpful? Give feedback.
-
I had the same issue with Cloudflare + load-balancer + laravel 9. Here are what I did solving this problem:
- TRUST_PROXIES=null
// set your load balancer ip to TRUST_PROXIES, I set * for my staging environment
+ TRUST_PROXIES='*'
location / {
proxy_pass http://YOUR_WEBSITE;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
#proxy_set_header X-Forwarded-Port 443;
} then file can be upload successfully. |
Beta Was this translation helpful? Give feedback.
-
Hello, I had the same problem, I put you in context, I have a liveware application running on an apache server that has Cpanel, it has the JetStream package installed. I got the error on the console every time I tried to upload the profile photo, with the error message: The :attribute field could not be uploaded. I tried all the previous solutions without any success, until I started to check the network status and preview the exception that I was getting. There I found the following error: |
Beta Was this translation helpful? Give feedback.
-
Hello, I had same problem and fixed it, modify nginx .conf file as following
|
Beta Was this translation helpful? Give feedback.
-
I'm using Filament 3, nginx reverse proxy and apache in a docker container. This worked for me:
|
Beta Was this translation helpful? Give feedback.
-
I finally got my project working behind a reverse proxy and in a sub-directory. I achieved this by combining a couple of solutions: Problem 1:
|
Beta Was this translation helpful? Give feedback.
-
For Laravel 11.x this worked for me: https://laravel.com/docs/11.x/requests#trusting-all-proxies (should probably add the correct proxy instead though!) |
Beta Was this translation helpful? Give feedback.
-
I've been facing this exact issue. It appears to do with the proxying from NGINX to the Octane daemon. I'm using Forge and Swoole and forcing HTTPS inside the NGINX proxy_set_header X-Forwarded-Proto "HTTPS"; |
Beta Was this translation helpful? Give feedback.
-
I got this problem and tried a few solutions without luck. I use ddev in my local development, and the following finally worked: Add to .ddev/nginx_full/nginx-site.conf:
The gotcha is, I tried this and it did not work, because ddev removed it as ddev owns the file and overwrites it. So, you have to remove line 3, which says: Thanks to @mvnobrega |
Beta Was this translation helpful? Give feedback.
-
Fille uploads doesn't work over https, whereas it works perfectly over http
Set up livewire file upload, then use https (e.g. with ngrok) the upload fails with the request to
Request URL: https://XYZ.ngrok.io/livewire/upload-file?expires=1593877850&signature=0c0b334969966e642854a730fdb78accd3c7332648291fc2449530f15cea7035
Request Method: POST
Status Code: 401 Unauthorized
Following the flow with the debugger the problem arises, in the vendor/livewire/livewire/src/Controllers/FileUploadHandler.php, in the handle method.
In particular in the
abort_unless(request()->hasValidSignature(), 401); line.
Commenting it out works around the problem (the uploads works) but of course is not optimal,
Context
Beta Was this translation helpful? Give feedback.
All reactions