Opened 10 years ago
Closed 8 years ago
#28658 closed defect (bug) (duplicate)
is_ssl() may fail on ssl, relying on mod_ssl.
Reported by: | mampf | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.9.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Dear developers,
in functions.php, you rely on reading
$_SERVER['HTTPS'] '443' == $_SERVER['SERVER_PORT']
to detect wether SSL is enabled or not. This is not sufficient.
The hoster uberspace (and probably many more) use pound as https frontend. Pound and others will not set 'HTTPS', but 'ENV:HTTPS'.
Thus, if on a pound server with a non-standard-port, this function will return "false" when the opposite is true.
Please check for ENV:HTTPS as well (and probably others).
Thanks.
Change History (5)
#2
@
10 years ago
Hello John,
I think it just can't. This "proxy" is transparent to apache, like apache/nginx is transparent to tomcat. I don't know how the port is set correctly in apache. Honestly I don't know why pound is not able to change $_SERVERHTTP?.
A long-term solution would be to mark this function as deprecated and only set the server-relative path (host/path) everywhere, omnitting the protocol (http: or https:). The downside: You'd need to change every image-link in the database.
I think there might be legitimate situations where a proxy cannot change the environment variable. Perhaps a ticket on pound's bug tracker would be helpful.
#5
@
8 years ago
- Keywords reporter-feedback 2nd-opinion removed
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Ultimately it's down to the server configuration to properly let the applications know that SSL is in use - forwarding variables which the application cannot detect as coming from a legitimate upstream is a challenge in itself, which has been greatly discussed in #31288
Thanks for the report mampf.
Here are some previous discussions relating to SSL proxies / load balancers: #19337, #24394, #28443. The consensus is that the proxy should be correctly setting the environment variables rather than each application having to check multiple different environment variables in an attempt to support many different possible configurations.
For what reason does Pound not set the
HTTPS
environment variable?