Opened 4 years ago
Last modified 4 years ago
#50339 new defect (bug)
setup-config.php serves mixed content when behind a TLS termination proxy
Reported by: | simosx | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Upgrade/Install | Keywords: | reporter-feedback |
Focuses: | Cc: |
Description
When you are setting up WordPress behind a TLS termination proxy,
setup-config.php
does not know about it and serves mixed content (URLs are http://...
).
Browsers now refuse to load http://...
content if the displayed URL is https://...
.
setup-config.php
should be able to detect whether it runs behind a TLS termination proxy, so that the initial setup of WordPress (it is a one-off thing) runs smoothly.
Attachments (2)
Change History (6)
#2
@
4 years ago
- Keywords reporter-feedback added
Thanks for the ticket and for the patch @simosx .
Can you explain a little about the relationship between the TLS termination and the Upgrade Insecure Requests header please? As far as I know they are not connected, and your patch appears at first glance like it will cause any request to be upgraded in any browser that sends this header. It doesn't appear to be related to the scheme that the user intends to use for the site.
#3
@
4 years ago
In addition, the normal way to get around the problem of TLS termination sending a plain HTTP request to the origin is to correctly configure your application to pass the HTTPS status through as per #31288, however this isn't possible during a request to setup-config.php so this needs a bit more investigation.
#4
@
4 years ago
Thanks @johnbillion for looking into the patch.
Indeed, that HTTP field is not appropriate because it is client-side (browser).
The check should be on a server-side (from the TLS Termination Proxy) field.
I believe the appropriate HTTP field should be HTTP_X_FORWARDED_PROTO instead, when it is set to https
.
#31288 has a list of four such fields that are in use in the wild. Would this be a case of checking for either of any of them, or selecting one of them?
I think the end result should be to avoid editing setup-config.php
in order to make it run behind a TLS Termination Proxy.
Check whether we run behind a TLS Termination Proxy