WordPress.org

Make WordPress Core

Opened 2 months ago

Last modified 8 weeks ago

#50339 new defect (bug)

setup-config.php serves mixed content when behind a TLS termination proxy

Reported by: simosx Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: reporter-feedback
Focuses: Cc:

Description

When you are setting up WordPress behind a TLS termination proxy,
setup-config.php does not know about it and serves mixed content (URLs are http://...).
Browsers now refuse to load http://... content if the displayed URL is https://....

setup-config.php should be able to detect whether it runs behind a TLS termination proxy, so that the initial setup of WordPress (it is a one-off thing) runs smoothly.

Attachments (2)

setup-check-if-behind-tls-termination-proxy.diff (464 bytes) - added by simosx 2 months ago.
Check whether we run behind a TLS Termination Proxy
wordpress-tls-termination.diff (463 bytes) - added by simosx 8 weeks ago.
Enables HTTPS is HTTP_X_FORWARDED_PROTO is set to https

Download all attachments as: .zip

Change History (6)

@simosx
2 months ago

Check whether we run behind a TLS Termination Proxy

#1 @SergeyBiryukov
8 weeks ago

  • Component changed from General to Upgrade/Install

#2 @johnbillion
8 weeks ago

  • Keywords reporter-feedback added

Thanks for the ticket and for the patch @simosx .

Can you explain a little about the relationship between the TLS termination and the Upgrade Insecure Requests header please? As far as I know they are not connected, and your patch appears at first glance like it will cause any request to be upgraded in any browser that sends this header. It doesn't appear to be related to the scheme that the user intends to use for the site.

#3 @johnbillion
8 weeks ago

In addition, the normal way to get around the problem of TLS termination sending a plain HTTP request to the origin is to correctly configure your application to pass the HTTPS status through as per #31288, however this isn't possible during a request to setup-config.php so this needs a bit more investigation.

@simosx
8 weeks ago

Enables HTTPS is HTTP_X_FORWARDED_PROTO is set to https

#4 @simosx
8 weeks ago

Thanks @johnbillion for looking into the patch.

Indeed, that HTTP field is not appropriate because it is client-side (browser).
The check should be on a server-side (from the TLS Termination Proxy) field.

I believe the appropriate HTTP field should be HTTP_X_FORWARDED_PROTO instead, when it is set to https.

#31288 has a list of four such fields that are in use in the wild. Would this be a case of checking for either of any of them, or selecting one of them?

I think the end result should be to avoid editing setup-config.php in order to make it run behind a TLS Termination Proxy.

Last edited 8 weeks ago by simosx (previous) (diff)
Note: See TracTickets for help on using tickets.