Allow overload of is_ssl() via a filter

[superkus]

Hi !

Would it be possible to add the is_ssl() function to the list of functions that can be overloaded via a plug-in?

The reason for this is that in some cases where SSL Offloading is used (SSL managed by an external device to the web server, say an F5 or STunnel), the $_SERVER['HTTPS'] will be false because the web server is only listening on plain HTTP.

If we could overload this function via a plug-in, we could check other common HTTP Headers used by some devices when doing SSL Offloading, HTTP_X_FORWARDED_PROTO, HTTP_FRONT_END_HTTPS or even a custom one the sysadmin chooses to inject to the request to let the web server know if the connection is secure or not.

[SergeyBiryukov]

Related: #19337, #15733

[johnbillion]

That patch is faulty, $is_ssl will always be false due to line 3698.

[superkus]

patch adding apply_filters() to is_ssl()

[superkus]

Replying to johnbillion:

That patch is faulty, $is_ssl will always be false due to line 3698.

Ah yes, stupid error with an easy fix: fixed patch uploaded.

[nacin]

Might this filter be too low level for plugins to safely use? I feel like it may try to be used in place of other aspects like forcing SSL and what not, rather than for correcting the $_SERVER vars.

Chances are, someone filtering this will likely still need to forward on the remote IP and possibly the server port. And this filter does nothing for plugins checking $_SERVER['HTTPS'] on their own, which isn't "wrong" per se — is_ssl() is more of a helper function than a WordPress environment function.

[westi]

I've not tested this but I wouldn't be surprised to find it possible that we call is_ssl before apply_filters is available.

I think fixing the environment in wp-config.php is probably a more reliable way to ensure this on a site by site basis.

[gnotaras]

+1 for the filtering of is_ssl().

[nacin]

I still don't find this to be a good idea.

[dd32]

I'm going with Westi and Nacin here, filtering it doesn't achieve a good result.

Filtering it would be excellent if the value of the function could change during normal execution of a WordPress page load, but for low level configurations like this that are consistent with a request, you're far better off with defining it in wp-config.php like so:

if ( 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] )
   $_SERVER['HTTPS'] = 'on';

Either way, you have to add custom PHP, and doing it in your configuration file is the best location to ensure that all plugins and is_ssl() calls before plugins get loaded work correctly 100% of the time.