Level 88
Some serverless solutions require you to whitelist certain headers or fields. It depends on your setup, so what exactly are you using for your hosting?
Sep 9, 2020
6
Level 3
laravel XSRF-TOKEN missing
Hi,
I have laravel 7 and in all form have @csrf, after submit return request and running well in local. but after deploy to aws serverless, after submit all form return 419 page expired. after check in aws serverless, set-cookie: XSRF-TOKEN is missing in inspect network.
What is wrong? any idea?
Level 3
@bobbybouwmann thanks for reply.
this is my first time trying deploy on aws serverless lambda. I haven't tried adding a whitelist header.
Level 88
Well, have you followed a tutorial to set up everything correctly?
I always think that this tutorial is a really solid one: https://aws.amazon.com/blogs/compute/the-serverless-lamp-stack-part-4-building-a-serverless-laravel-application/
1 like
Level 3
Yes, I followed everything on that link, set up everything correctly.
and I followed this link bref.sh.
I don't know what setting is missing. CSRF like rejected, and I have login API with JWT, success return token, when I use that token to other API link, token not same.
Level 122
How are you storing sessions?
Level 3
Create on VPC
this is my .env
APP_NAME="My CMS"
APP_ENV=production
APP_KEY=base64:LQO+ILW6BO6veWXkYBsIqcQSoqWSHsacYFrypweVavg=
APP_DEBUG=true
APP_URL=http://localhost/my_cms/public
APP_VERSION=0.1.1
LOG_CHANNEL=stderr
FILESYSTEM_DRIVER=s3
VIEW_COMPILED_PATH=/tmp/storage/framework/views
DB_CONNECTION=mysql
DB_HOST=mycms-dev-instance-1.xxx.ap-southeast-1.rds.amazonaws.com
DB_PORT=3306
DB_DATABASE=db_my_cms
DB_USERNAME=admin
DB_PASSWORD=admin123
BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
and this is my serverless.yml
service: my-cms
provider:
name: aws
# The AWS region in which to deploy (us-east-1 is the default)
region: ap-southeast-1
# The stage of the application, e.g. dev, production, staging… ('dev' is the default)
stage: dev
runtime: provided
package:
# Directories to exclude from deployment
exclude:
- node_modules/**
- public/storage
- resources/assets/**
- storage/**
- tests/**
functions:
# This function runs the Laravel website/API
web:
handler: public/index.php
timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
layers:
- ${bref:layer.php-74-fpm}
events:
- http: 'ANY /'
- http: 'ANY /{proxy+}'
# This function lets us run artisan commands in Lambda
artisan:
handler: artisan
timeout: 120 # in seconds
layers:
- ${bref:layer.php-74} # PHP
- ${bref:layer.console} # The "console" layer
resources:
Resources:
# CloudFront
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: My CloudFront Distribution
DefaultCacheBehavior:
TargetOriginId: MyFirstOrigin
ViewerProtocolPolicy: 'redirect-to-https'
DefaultTTL: 30
ForwardedValues:
QueryString: false
Enabled: true
Origins:
- Id: MyFirstOrigin
DomainName:
Fn::Join:
- "."
- - Ref: ApiGatewayRestApi
- execute-api.ap-southeast-1.amazonaws.com
OriginPath: /dev
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: https-only
# The S3 bucket that stores the assets
Assets:
Type: AWS::S3::Bucket
Properties:
BucketName: 'bucket-cms'
# The policy that makes the bucket publicly readable
AssetsBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Assets # References the bucket we defined above
PolicyDocument:
Statement:
- Effect: Allow
Principal: '*' # everyone
Action: 's3:GetObject' # to read
Resource: !Join ['/', [!GetAtt Assets.Arn, '*']] # things in the bucket
# alternatively you can write out Resource: 'arn:aws:s3:::<bucket-name>/*'
# CDN
WebsiteCDN:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
# Cheapest option by default (https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DistributionConfig.html)
PriceClass: PriceClass_100
# Enable http2 transfer for better performances
HttpVersion: http2
# Origins are where CloudFront fetches content
Origins:
# The website (AWS Lambda)
- Id: Website
DomainName: !Join ['.', [!Ref ApiGatewayRestApi, 'execute-api', !Ref AWS::Region, 'amazonaws.com']]
# This is the stage
OriginPath: "/${opt:stage, 'dev'}"
CustomOriginConfig:
OriginProtocolPolicy: 'https-only' # API Gateway only supports HTTPS
# The assets (S3)
- Id: Assets
DomainName: !GetAtt Assets.RegionalDomainName
S3OriginConfig: {} # this key is required to tell CloudFront that this is an S3 origin, even though nothing is configured
# If you host a static website, like a SPA, use s3-website URLs instead of the config above
# See https://stackoverflow.com/questions/15309113/amazon-cloudfront-doesnt-respect-my-s3-website-buckets-index-html-rules#15528757
# DomainName: !Select [2, !Split ["/", !GetAtt Assets.WebsiteURL]]
# CustomOriginConfig:
# OriginProtocolPolicy: 'http-only' # S3 websites only support HTTP
# You'll also need to enable website hosting on your s3 bucket by configuring the WebsiteConfiguration property
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-websiteconfiguration
# The default behavior is to send everything to AWS Lambda
DefaultCacheBehavior:
AllowedMethods: [GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE]
TargetOriginId: Website # the PHP application
# Disable caching for the PHP application https://aws.amazon.com/premiumsupport/knowledge-center/prevent-cloudfront-from-caching-files/
DefaultTTL: 0
MinTTL: 0
MaxTTL: 0
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-forwardedvalues.html
ForwardedValues:
QueryString: true
Cookies:
Forward: all # Forward cookies to use them in PHP
# We must *not* forward the `Host` header else it messes up API Gateway
Headers:
- 'Accept'
- 'Accept-Language'
- 'Origin'
- 'Referer'
ViewerProtocolPolicy: redirect-to-https
CacheBehaviors:
# Assets will be served under the `/assets/` prefix
- PathPattern: 'assets/*'
TargetOriginId: Assets # the static files on S3
AllowedMethods: [GET, HEAD]
ForwardedValues:
# No need for all that with assets
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
Compress: true # Serve files with gzip for browsers that support it (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html)
CustomErrorResponses:
# Do not cache HTTP errors
- ErrorCode: 500
ErrorCachingMinTTL: 0
- ErrorCode: 504
ErrorCachingMinTTL: 0
plugins:
# We need to include the Bref plugin
- ./vendor/bref/bref
Please or to participate in this conversation.