WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#15902 closed defect (bug) (wontfix)

is_ssl() Proxy Modification

Reported by: ctsonline Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

The current function is_ssl() does not work when using a proxy or loadbalanced front end. If possible it would be nice to add

        if ( isset($_SERVER['HTTP_FRONT_END_HTTPS']) )
        {
                if ( 'on' == strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) )
                        return true;
                if ( '1' == $_SERVER['HTTP_FRONT_END_HTTPS'] )
                        return true;
        }

To the core of that function to ensure that SSL works in this type of environment.
Thanks,
Seth

Change History (4)

comment:1 nacin3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

HTTP_FRONT_END_HTTPS isn't standard. We don't have support for this in core -- see #15733 and many other tickets.

comment:2 gnotaras2 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

I've been talking about this on #wordpress.

In the following example setup, a secure apache virtualhost (listening on 192.168.0.200:443) is set to work as a proxy that terminates the SSL connection and forwards the unencrypted traffic to the backend server running Wordpress, which in this setup is another apache virtualhost (listening on 127.0.0.1:8080).

These apache virtualhosts are used as an example.

<VirtualHost 192.168.0.200:443>

    ServerName example.org:443
    
    SSLEngine on
    SSLCertificateFile /etc/pki/certs/example.org.crt
    SSLCertificateKeyFile /etc/pki/keys/example.org.key

    # Needs mod_proxy
    ProxyPreserveHost On
    ProxyErrorOverride Off
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
    
    # Needs mod_headers
    # These headers are passed to the server running WP
    RequestHeader set X-Forwarded-Protocol https
    RequestHeader set X-Forwarded-Ssl on
    RequestHeader set X-Ssl-Is-On key123
    
</VirtualHost>


<VirtualHost 127.0.0.1:8080>
    ServerName example.org:8080
    DocumentRoot /var/www/vhosts/example.org/public_html
    <Directory /var/www/vhosts/example.org/public_html>
        AllowOverride None
        Options FollowSymLinks
        Order allow,deny
        Allow from All
        #
        # Configure it to execute PHP scripts
        #
    </Directory>
</VirtualHost>

My suggestion is that Wordpress should let the user define a list of trusted HTTP headers that wordpress should interpret as "our proxy has sent us a trusted header, so let is_ssl() be True".

comment:3 nacin2 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Instead of registering anything with WordPress (which is problematic, because plugins are loaded after we will want to know), just put something like this in your wp-config.php file to update $_SERVER with correct informaiton: http://core.trac.wordpress.org/ticket/9235#comment:40.

comment:4 gnotaras2 years ago

@nacin

Thank you

Note: See TracTickets for help on using tickets.