Bug #32341
closed
$_SERVER['HTTPS'] vs. $_SERVER['HTTP_HTTPS'] nginx
0%
Description
Hi,
Typo3 looks for "$_SERVER['HTTPS']" but nginx "proxy_set_header HTTPS 1" set a "$_SERVER['HTTP_HTTPS']".
So i think typo3 have to check this in t3lib/class.t3lib_div.php on Line 4153:
$retVal = $_SERVER['SSL_SESSION_ID'] || !strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1') ? TRUE : FALSE;
Solution:
$retVal = $_SERVER['SSL_SESSION_ID'] || (!strcasecmp($_SERVER['HTTPS'], 'on') || !strcmp($_SERVER['HTTPS'], '1')) && (!strcasecmp($_SERVER['HTTP_HTTPS'], 'on') || !strcmp($_SERVER['HTTP_HTTPS'], '1')) ? TRUE : FALSE;Something like that, or a smaller solution. ;-)
Regards,
Updated by Michael Stucki over 12 years ago
- Status changed from New to Needs Feedback
- Assignee set to Michael Stucki
Please take a look at the very similar issue #29693.
Although I brought that up myself, I agree meanwhile that it's not a good solution because the header can be forged by a remote user, thus telling the server that the connection is HTTPS when it actually isn't.
Fabrizio Branca brought up a much better solution which is explained in detail on his blog:
http://www.fabrizio-branca.de/nginx-varnish-apache-magento-typo3.html
- Nginx: Set a header "HTTPS" to "" by default (to override existing headers) or to "on" when running with HTTPS
- Apache: SetEnvIf HTTPS on HTTPS=on
If you agree about such a solution, I would like to close the request therefore. OK with you?
Updated by Alexander Opitz almost 11 years ago
- Status changed from Needs Feedback to Closed
No feedback for over 90 days.
Updated by Sybille Peters over 6 years ago
- Related to Bug #81837: SSL mixed content issues in backend when HTTPS server var is not set added
Updated by Susanne Moog over 5 years ago
- Related to Bug #86264: Trusted hosts pattern mismatch with Nginx and HTTP_X_FORWARDED_PORT 443 added