Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 11 years ago

#20567 closed enhancement (duplicate)

is_ssl check for proxy forwarding

Reported by: mvied's profile Mvied Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: General Keywords: has-patch
Focuses: Cc:


When using SSL in a proxy environment, sometimes the proxy is configured to set the X-Forwarded headers rather than modify the original response headers. This patch adds two additional conditionals to is_ssl to check for these X-Forwarded headers.

Attachments (1)

functions.php.patch (593 bytes) - added by Mvied 12 years ago.

Download all attachments as: .zip

Change History (6)

12 years ago


#2 @SergeyBiryukov
12 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Actually, a duplicate of #15733.

#3 @Mvied
12 years ago

The other ticket's patch only checks HTTP_X_FORWARDED_PROTO and not HTTP_X_FORWARDED_PORT. Should I upload a patch to the other ticket?

#4 @nacin
12 years ago

Based on the comments in #15733, this is not a WordPress configuration issue. Set $_SERVER['HTTPS'] to whatever it is supposed to be on your environment via wp-config.php.

#5 @webaware
11 years ago

There's a simple plugin in Gist that could easily be modified to work with whichever situation you have on your specific server. Maybe someone could turn it into a configurable plugin if they felt the urge :)

Explanation of Gist in this blog post

NB: note that it isn't safe to assume that these headers are added by the host; because they are non-standard headers, they can be added by the client, and thus some crafty prick could manufacture a situation where the request to the server tells it that SSL is enabled when it isn't, and perform a man-in-the-middle attack. I therefore recommend that core does not accept the patch on this ticket, and instead this function be handled by a plugin.

Last edited 11 years ago by webaware (previous) (diff)
Note: See TracTickets for help on using tickets.