WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 9 months ago

#19654 closed enhancement (invalid)

Allow overload of is_ssl() via a filter

Reported by: superkus Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.3
Component: Plugins Keywords: 2nd-opinion
Focuses: Cc:

Description

Hi !

Would it be possible to add the is_ssl() function to the list of functions that can be overloaded via a plug-in?

The reason for this is that in some cases where SSL Offloading is used (SSL managed by an external device to the web server, say an F5 or STunnel), the $_SERVER['HTTPS'] will be false because the web server is only listening on plain HTTP.

If we could overload this function via a plug-in, we could check other common HTTP Headers used by some devices when doing SSL Offloading, HTTP_X_FORWARDED_PROTO, HTTP_FRONT_END_HTTPS or even a custom one the sysadmin chooses to inject to the request to let the web server know if the connection is secure or not.

Attachments (1)

functions.patch (736 bytes) - added by superkus 2 years ago.
patch adding apply_filters() to is_ssl()

Download all attachments as: .zip

Change History (11)

comment:1 SergeyBiryukov2 years ago

Related: #19337

Version 0, edited 2 years ago by SergeyBiryukov (next)

comment:2 follow-up: johnbillion2 years ago

That patch is faulty, $is_ssl will always be false due to line 3698.

superkus2 years ago

patch adding apply_filters() to is_ssl()

comment:3 in reply to: ↑ 2 superkus2 years ago

Replying to johnbillion:

That patch is faulty, $is_ssl will always be false due to line 3698.

Ah yes, stupid error with an easy fix: fixed patch uploaded.

comment:4 ryan2 years ago

  • Milestone changed from Awaiting Review to 3.4

comment:5 nacin2 years ago

Might this filter be too low level for plugins to safely use? I feel like it may try to be used in place of other aspects like forcing SSL and what not, rather than for correcting the $_SERVER vars.

Chances are, someone filtering this will likely still need to forward on the remote IP and possibly the server port. And this filter does nothing for plugins checking $_SERVER['HTTPS'] on their own, which isn't "wrong" per se — is_ssl() is more of a helper function than a WordPress environment function.

comment:6 westi2 years ago

I've not tested this but I wouldn't be surprised to find it possible that we call is_ssl before apply_filters is available.

I think fixing the environment in wp-config.php is probably a more reliable way to ensure this on a site by site basis.

comment:7 gnotaras2 years ago

+1 for the filtering of is_ssl().

comment:8 ryan2 years ago

  • Milestone changed from 3.4 to Future Release

comment:9 nacin2 years ago

  • Keywords 2nd-opinion added
  • Milestone changed from Future Release to Awaiting Review

I still don't find this to be a good idea.

comment:10 dd329 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

I'm going with Westi and Nacin here, filtering it doesn't achieve a good result.

Filtering it would be excellent if the value of the function could change during normal execution of a WordPress page load, but for low level configurations like this that are consistent with a request, you're far better off with defining it in wp-config.php like so:

if ( 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] )
   $_SERVER['HTTPS'] = 'on';

Either way, you have to add custom PHP, and doing it in your configuration file is the best location to ensure that all plugins and is_ssl() calls before plugins get loaded work correctly 100% of the time.

Note: See TracTickets for help on using tickets.