Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#34298 closed defect (bug) (duplicate)

Amazon LB SSL / HTTP_X_FORWARDED_PROTO

Reported by: oskha's profile OskHa Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

extend is_ssl() method. Otherwise its not working with SSL over loadbalancer.

function is_ssl() {
	if ( isset($_SERVER['HTTPS']) ) {
		if ( 'on' == strtolower($_SERVER['HTTPS']) )
			return true;
		if ( '1' == $_SERVER['HTTPS'] )
			return true;
	} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
		return true;
	}

    if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' ) {
        return true;
    }
	return false;
}

Change History (7)

#1 @ocean90
9 years ago

  • Component changed from HTTP API to General
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version 4.3.1 deleted

Hello OskHa, welcome to Trac.

Thanks for your report, it's something that comes up often:

#15733
WordPress Installation behind reverse-proxy ssl redirect loop
#19654
Allow overload of is_ssl() via a filter
#25222
Detect https correctly when behind a proxy/loadbalancer
#31288
IS_SSL should check return true for SSL Terminated load balancing
#31439
is_ssl not compatible with server - option for filter or hook
#32354
is_ssl() does not work on cloud hosting
#33730
ssl is not detecting for cloudflare
#34298
Amazon LB SSL / HTTP_X_FORWARDED_PROTO
#34912
wp-admin/load-styles.php not serving multiple assets over HTTPS
#39659
Offloaded SSL Detection
#40710
Improvement ssl detection
#57125
custom changes to wp-includes/functions.php overwritten by automatic upgrades, breaking Cloudflare or squid frontend


Please take a look at #31288 which provides information on how to solve this for your environment.

#2 @OskHa
9 years ago

thank you. the map solution for nginx looks promising.

#3 @Jasonheffner
9 years ago

I'm not sure if this helps or not .. we run behind several proxies as well and set this in wp-config.php to handle inconsistencies how SSL is handled in WP Core.

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
        $_SERVER['HTTPS']='on';
}

#4 follow-up: @OskHa
9 years ago

yes, but its "dirty".

If someone likes it, here is the complete solution.

function additionalHttpsCheck () {
    if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' ) {
        $_SERVER['HTTPS'] = "on";
        $_SERVER['SERVER_PORT'] = '443';
    }

    is_ssl();
}

add_action ( 'init', 'additionalHttpsCheck', 1 );

#5 in reply to: ↑ 4 ; follow-up: @johnbillion
9 years ago

Replying to OskHa:

yes, but its "dirty".

It's worth pointing out that this isn't "dirty". This is literally the correct solution in order to add support for non-standard HTTP headers such as X_FORWARDED_PROTO which are sent as a result of using a reverse proxy, irrespective of whether you're using WordPress or not.

Also, there's no need for that code to be placed in an init callback (and will cause issues for code that uses URL functions prior to that hook). It should go directly in your wp-config.php file (minus the unnecessary call to is_ssl().

#6 @Jasonheffner
9 years ago

No offense taken.. it's also good to point out that you should have your reverse proxy servers remove the X_FORWARDED_PROTO headers and re-add them such that you can trust the values coming from your proxy servers; as noted in a few other comments on other tickets.

#7 in reply to: ↑ 5 @OskHa
9 years ago

Replying to johnbillion:

the is_ssl() should not be there, bad copy/paste.

I describe that as dirty only because you dont want to have all done in wp-config which is in .gitignore or have limited access to provisioned environment.

Replying to jasonheffner :

Yes its true. im just writing about some special case, which is for me AWS and the way i receive headers from the LB.

Last edited 9 years ago by OskHa (previous) (diff)
Note: See TracTickets for help on using tickets.