WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 15 months ago

#20567 closed enhancement (duplicate)

is_ssl check for proxy forwarding

Reported by: Mvied Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: General Keywords: has-patch
Focuses: Cc:

Description

When using SSL in a proxy environment, sometimes the proxy is configured to set the X-Forwarded headers rather than modify the original response headers. This patch adds two additional conditionals to is_ssl to check for these X-Forwarded headers.

Attachments (1)

functions.php.patch (593 bytes) - added by Mvied 2 years ago.
/wp-includes/functions.php

Download all attachments as: .zip

Change History (6)

Mvied2 years ago

/wp-includes/functions.php

comment:2 SergeyBiryukov2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Actually, a duplicate of #15733.

comment:3 Mvied2 years ago

The other ticket's patch only checks HTTP_X_FORWARDED_PROTO and not HTTP_X_FORWARDED_PORT. Should I upload a patch to the other ticket?

comment:4 nacin2 years ago

Based on the comments in #15733, this is not a WordPress configuration issue. Set $_SERVER['HTTPS'] to whatever it is supposed to be on your environment via wp-config.php.

comment:5 webaware15 months ago

There's a simple plugin in Gist that could easily be modified to work with whichever situation you have on your specific server. Maybe someone could turn it into a configurable plugin if they felt the urge :)

Explanation of Gist in this blog post

NB: note that it isn't safe to assume that these headers are added by the host; because they are non-standard headers, they can be added by the client, and thus some crafty prick could manufacture a situation where the request to the server tells it that SSL is enabled when it isn't, and perform a man-in-the-middle attack. I therefore recommend that core does not accept the patch on this ticket, and instead this function be handled by a plugin.

Last edited 15 months ago by webaware (previous) (diff)
Note: See TracTickets for help on using tickets.