Bug #32341

$_SERVER['HTTPS'] vs. $_SERVER['HTTP_HTTPS'] nginx

Added by Norbert over 10 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Must have
Category:
Frontend
Target version:
-
Start date:
2011-12-06
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hi,

Typo3 looks for "$_SERVER['HTTPS']" but nginx "proxy_set_header HTTPS 1" set a "$_SERVER['HTTP_HTTPS']".

So i think typo3 have to check this in t3lib/class.t3lib_div.php on Line 4153:

$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE;

Solution:

$retVal = $_SERVER['SSL_SESSION_ID'] || (!strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1')) && (!strcasecmp($_SERVER['HTTP_HTTPS'], 'on') || !strcmp($_SERVER['HTTP_HTTPS'], '1')) ? TRUE : FALSE;
Something like that, or a smaller solution. ;-)

Regards,


Related issues

Related to TYPO3 Core - Bug #29693: Respect HTTP_X_FORWARDED_PROTO in SSL checkRejectedMichael Stucki2011-09-12

Actions
Related to TYPO3 Core - Bug #81837: SSL mixed content issues in backend when HTTPS server var is not setClosed2017-07-11

Actions
Related to TYPO3 Core - Bug #86264: Trusted hosts pattern mismatch with Nginx and HTTP_X_FORWARDED_PORT 443Accepted2018-09-15

Actions
#1

Updated by Michael Stucki over 10 years ago

  • Status changed from New to Needs Feedback
  • Assignee set to Michael Stucki

Please take a look at the very similar issue #29693.

Although I brought that up myself, I agree meanwhile that it's not a good solution because the header can be forged by a remote user, thus telling the server that the connection is HTTPS when it actually isn't.

Fabrizio Branca brought up a much better solution which is explained in detail on his blog:
http://www.fabrizio-branca.de/nginx-varnish-apache-magento-typo3.html

What you need to do is this:
  • Nginx: Set a header "HTTPS" to "" by default (to override existing headers) or to "on" when running with HTTPS
  • Apache: SetEnvIf HTTPS on HTTPS=on

If you agree about such a solution, I would like to close the request therefore. OK with you?

#2

Updated by Alexander Opitz almost 9 years ago

  • Status changed from Needs Feedback to Closed

No feedback for over 90 days.

#3

Updated by Sybille Peters almost 5 years ago

  • Related to Bug #81837: SSL mixed content issues in backend when HTTPS server var is not set added
#4

Updated by Susanne Moog over 3 years ago

  • Related to Bug #86264: Trusted hosts pattern mismatch with Nginx and HTTP_X_FORWARDED_PORT 443 added

Also available in: Atom PDF