We are an agency using Yii2 advanced for many of our clients, in most cases same domain. In some cases same-domain same-login-session on both front and backend.
For one of our applications, we have a REST API front-end and a UI driven back-end served under the same domain (only the backend has standard login). This has worked for a long time but the client recently decided to move all their resources to Windows 2019, where our issue started as we are trying to configure this.
Issue
When front-end (API) and back-end (UI Application) are served under the same domain, the pretty URL scheme does not work for the backend but works find for the front-end. A 400 Bad Request error is produced. The same application and configuration has worked in Linux for multiple years.
Works: https://domain/admin (if access rules allow this without login)
Anything with a slash does not work, example -
https://domain/admin/site/index (event if access rules allow without login)
If we assign each application (front and back) a separate domain, the pretty URL scheme works for both.
We tried a number of config variations without success. Any guidance on this is appreciated. I will provide details below, including the original config (inherited from the live Linux app) as well as some variations we tried.
Env:
- Windows server 2019
- Yii2 version 2.0.43.
- Apache Lounge 2.4.54
- PHP 7.4.30
Frontend Original Config:
from main-local.php
'components' => [
'request' => [
'cookieValidationKey' => '<frontend-specific-key>',
],
],
from main.php
'basePath' => dirname(__DIR__),
'components' => [
'request' => [
'csrfParam' => '_csrf-<frontend-specific-string>',
],
'user' => [
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'identityCookie' => ['name' => '_identity-<frontend-specific-string>', 'httpOnly' => true],
],
'session' => [
'name' => 'advanced-<frontend-specific-string>',
],
'urlManager' => [
'class' => 'yii\web\UrlManager',
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
//...
],
],
],
*** CSRF validation is kept enabled
Backend Original Config:
Backend main-local.php
'components' => [
'request' => [
'cookieValidationKey' => '<backend-specific-key>',
],
],
from main.php
'basePath' => dirname(__DIR__),
'components' => [
'request' => [
'csrfParam' => '_csrf-<backend-specific-string>',
],
'user' => [
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'identityCookie' => ['name' => '_identity-<backend-specific-string>', 'httpOnly' => true],
],
'session' => [
'name' => 'advanced-<backend-specific-string>',
],
'urlManager' => [
'class' => 'yii\web\UrlManager',
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
//...
],
],
],
Relevant Windows-Apache-Lounge vhost configs
# Alias to the backend app as '/admin'
Alias /admin "${SRVROOT}/backend/web"
# prevent the directory redirect to the URL with a trailing slash
RewriteRule ^/admin$ /admin/ [L,PT]
<Directory ${SRVROOT}/backend/web>
AllowOverride all
<IfVersion < 2.4>
Order Allow,Deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
.htaccess on both front and backend apps:
# Turn on rewrite engine
RewriteEngine on
##< FRIENDLY URL> ##
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
##</ FRIENDLY URL> ##
Changes / Things we tried and didn’t work
# 1. -----------------------------------------------
'request' => [
...
'csrfCookie' => [
'httpOnly' => true,
'path' => '/admin',
],
],
'user' => [
...
'identityCookie' => [
...
'path' => '/admin',
],
],
'session' => [
...
'cookieParams' => [
'path' => '/admin',
],
],
# -----------------------------------------------
# 2. -----------------------------------------------
# Making the front-end and back-end share the same PHP session (as in same-login)
# 'components->session->name' is the same in frontend+backend (main.php)
# 'components->request->cookieValidationKey' is the same in frontend+backend+common (main-local.php) and common (codeception-local.php)
# -----------------------------------------------
# 3. -----------------------------------------------
# Adjusting urlManager in both apps
# Frontend: 'components->urlManager->baseUrl' = '/'
# Backend: 'components->urlManager->baseUrl' = '/admin'
# -----------------------------------------------
- IdentityCookie change to -
'identityCookie' => ['name' => '_identity-<string>', 'httpOnly' => true, 'sameSite' => PHP_VERSION_ID >= 70300 ? yii\web\Cookie::SAME_SITE_LAX : null],
- Also tried a various combinations of the above as well as tinkering with the path params such as adding an absolute URL using alias as so - Yii::getAlias(’@frontend_url’) and/or Yii::getAlias(’@backend_url’) (that includedd /admin within the alias).
Again, all is okay under CentOS and Ubunto Linux distro with Apache 2+ and PHP 7+. The issue occurs in Windows.