$_SERVER['HTTPS'] vs. $_SERVER['HTTP_HTTPS'] nginx
|Status:||Needs Feedback||Start date:||2011-12-06|
|Priority:||Must have||Due date:|
|Assignee:||Michael Stucki||% Done:||
Typo3 looks for "$_SERVER['HTTPS']" but nginx "proxy_set_header HTTPS 1" set a "$_SERVER['HTTP_HTTPS']".
So i think typo3 have to check this in t3lib/class.t3lib_div.php on Line 4153:
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE;
$retVal = $_SERVER['SSL_SESSION_ID'] || (!strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1')) && (!strcasecmp($_SERVER['HTTP_HTTPS'], 'on') || !strcmp($_SERVER['HTTP_HTTPS'], '1')) ? TRUE : FALSE;Something like that, or a smaller solution. ;-)
|related to Core - Bug #29693: Respect HTTP_X_FORWARDED_PROTO in SSL check||Rejected||2011-09-12|
Updated by Michael Stucki over 1 year ago
- Status changed from New to Needs Feedback
- Assignee set to Michael Stucki
Please take a look at the very similar issue #29693.
Although I brought that up myself, I agree meanwhile that it's not a good solution because the header can be forged by a remote user, thus telling the server that the connection is HTTPS when it actually isn't.
Fabrizio Branca brought up a much better solution which is explained in detail on his blog:
- Nginx: Set a header "HTTPS" to "" by default (to override existing headers) or to "on" when running with HTTPS
- Apache: SetEnvIf HTTPS on HTTPS=on
If you agree about such a solution, I would like to close the request therefore. OK with you?