Bug #32341
$_SERVER['HTTPS'] vs. $_SERVER['HTTP_HTTPS'] nginx
| Status: | Needs Feedback | Start date: | 2011-12-06 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assignee: | Michael Stucki | % Done: | 0% |
|
| Category: | Frontend | |||
| Target version: | - | |||
| TYPO3 Version: | 4.5 | Complexity: | ||
| PHP Version: | 5.3 | |||
| Votes: | 0 |
Description
Hi,
Typo3 looks for "$_SERVER['HTTPS']" but nginx "proxy_set_header HTTPS 1" set a "$_SERVER['HTTP_HTTPS']".
So i think typo3 have to check this in t3lib/class.t3lib_div.php on Line 4153:
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE;
Solution:
$retVal = $_SERVER['SSL_SESSION_ID'] || (!strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1')) && (!strcasecmp($_SERVER['HTTP_HTTPS'], 'on') || !strcmp($_SERVER['HTTP_HTTPS'], '1')) ? TRUE : FALSE;Something like that, or a smaller solution. ;-)
Regards,
Related issues
| related to Core - Bug #29693: Respect HTTP_X_FORWARDED_PROTO in SSL check | Rejected | 2011-09-12 |
History
Updated by Michael Stucki over 1 year ago
- Status changed from New to Needs Feedback
- Assignee set to Michael Stucki
Please take a look at the very similar issue #29693.
Although I brought that up myself, I agree meanwhile that it's not a good solution because the header can be forged by a remote user, thus telling the server that the connection is HTTPS when it actually isn't.
Fabrizio Branca brought up a much better solution which is explained in detail on his blog:
http://www.fabrizio-branca.de/nginx-varnish-apache-magento-typo3.html
- Nginx: Set a header "HTTPS" to "" by default (to override existing headers) or to "on" when running with HTTPS
- Apache: SetEnvIf HTTPS on HTTPS=on
If you agree about such a solution, I would like to close the request therefore. OK with you?