Opened 10 years ago
Closed 9 years ago
#28443 closed defect (bug) (duplicate)
SSL behind a load balancer
Reported by: | lracicot | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.6 |
Component: | Security | Keywords: | close needs-patch |
Focuses: | Cc: |
Description
The 'is_ssl()' function does not support the X-Forwarded-Proto, which is the right way to verify if the request is https behind a load balancer.
The solution suggested in the codex (http://codex.wordpress.org/Function_Reference/is_ssl) is to manually set the php server variable 'HTTPS', but this is not a good practice.
Attachments (1)
Change History (10)
#1
in reply to:
↑ description
@
10 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Replying to lracicot:
The solution suggested in the codex (http://codex.wordpress.org/Function_Reference/is_ssl) is to manually set the php server variable 'HTTPS', but this is not a good practice.
I'd argue it's not a bad practice to keep the application ignorant of the overall proxying setup. This is ultimately an environment configuration issue; the application shouldn't need to figure out how the headers are forwarded (X-Forwarded-* is a de facto standard, but I've seen SSL in particular be forwarded in a number of ways), or whether they can be trusted (an X-* header can simply be set by the client, with no way of knowing if it came from a proxy).
Security aside (which is a dealbreaker), there is also a risk of infinite redirects for suddenly obeying these fields.
#2
@
10 years ago
- Resolution wontfix deleted
- Status changed from closed to reopened
What I hear is that wordpress does not support and will not support ssl behind a load balancer. The reality here is that wordpress can be installed in a server without ssl, but with an https url (because it's behind a load balancer for example).
If the proposed solution isn't good enough, I'm still awaiting for a better one.
#3
@
10 years ago
WordPress.org itself runs on SSL behind a load balancer. Our environment is such that the application layer is passed information about the requesting client, not the load balancer's UA, IP, or protocol.
The only thing we could consider is something like http://symfony.com/doc/current/components/http_foundation/trusting_proxies.html.
#5
@
10 years ago
I would like to point out that the thing that you said you would consider explicitly says that "By default, the following proxy headers are trusted: … X-Forwarded-Proto", which is exactly what you rejected.
The patch.