Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#49970 closed defect (bug) (duplicate)

Wrong is_ssl() result

Reported by: duxabilii's profile duxabilii Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.4
Component: Security Keywords:
Focuses: Cc:

Description

wp-includes/load.php
function is_ssl
wrong result when use https load proxy as load balancer
posible solution (in my case)

<?php
function is_ssl() {
        if ( isset( $_SERVER['HTTPS'] ) ) {
                if ( 'on' == strtolower( $_SERVER['HTTPS'] ) ) {
                        return true;
                }

                if ( '1' == $_SERVER['HTTPS'] ) {
                        return true;
                }
        } elseif ( isset( $_SERVER['SERVER_PORT'] ) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
                return true;
        } elseif ( isset( $_SERVER['HTTP_X_FORWARDED_PORT'] ) && ( '443' == $_SERVER['HTTP_X_FORWARDED_PORT'] ) ) {
                return true;
        }
        return false;
}

Change History (2)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Security
  • Keywords has-patch 2nd-opinion removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac!

Thanks for the report, we're already tracking this issue in #31288.

This is something that comes up often, but is not something that can be fixed due to the nature of handling client-provided headers, which is what's needed to address the issue. See comment:17:ticket:31288 for more info.

The long and short of it is that this is a server-level configuration issue with reverse proxy web servers. It's not a WordPress issue, and it's not limited to WordPress. There's no need to modify the is_ssl() function. You just need to add something along the lines of the following to your wp-config.php file:

$_SERVER['HTTPS'] = 1;

Any proxy configuration is "supported" by WordPress, you just need to remap the $_SERVER['HTTPS'] server variable based the particular proxy configuration you're using.

This ticket was mentioned in Slack in #core by sergey. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.