CakePHP 3.4.2 server behind a reverse proxy / DebugKit issue


Hi all,

for security reasons (don’t ask me why :wink: ), I have to setup a server running cakephp 3.4.2 behind a reverse proxy.
For example the server is accessed by the URL but is in reality running on the domain, the reverse proxy making a request to the cakephp server url for the users.

Since debugkit toolbar use Router::url command for adding the url script dynamically in the response content, the toolbar doesn’t work because of a CROS protection.
Is there any way to change this behaviour ? I tried to modify fullBaseUrl without success…
Is there other core function who didn’t support this kind of setup ?



I was one of the first adopters of CakePHP some 10 or 11 years ago. I abandoned the framework and wrote my own for the company I work for currently. However I took another look at Cake a few weeks ago and decided to give it a try again as it seems to have resolved a lot of the issues I left it for. However I got everything installed on my Linux laptop and the world was good. Well today I’ve put on one of my development servers which as the OP above stated it’s behind a reverse-proxy and router::url fails as it is I’m assuming attaching to HTTP_HOST and rendering out the that environmental variable. How ever in my own framework I overcame this by using a conditional looking for HTTP_X_FORWARDED_HOST and failing back to HTTP_HOST if X wasn’t set. Is there anyway to override this without doing harm to the entire framework?

I’ve modified ToolbarService.php to hard coded URLs for the data-url and src and was able to get the Cake icon to render properly and the bar opens up, however I’m still unable to open up each subsequent panel which tells me there are a whole lot of other URLs which are jacked up from this.

I will say our network is configured this way on purpose for a third party IDS system which watches our network for intrusions.

Could we please have some Cake developer look into this thanks.


After much debugging through moving backwards through the methods and nailing things down;

Here is the answer to anyone else who might come across this and gets frustrated by this.

in config/app.php ‘fullBaseUrl’ => false should be changed to the fully qualified domain name, this will override reading environment variables!

Hope this helps someone else!