Bug #81837
closed
SSL mixed content issues in backend when HTTPS server var is not set
100%
Description
Using SSL in the backend of Typo3 8.7.x is causing mixed content errors in javascript when the $_SERVER['HTTPS'] variable is not available. As a result, the Install tool is not accessible anymore and you can't use the close button when editting a record. Somehow the form action reverts to http:// even while everything else is in https. However, if you open the right panel (list) in a new browser window, everything is fine and it does work.
The cause of the problem is that $_SERVER['HTTPS'] is hardcoded in the TYPO3_SSL and if this check fails (in our case because we don't have the HTTPS server variable but we are using a custom variable X-ClientHTTPS) some scripts revert to http (like FormEngine.js which somewhere seems to change your https URL to http) .
See line 3016 in GeneralUtility):
case 'TYPO3_SSL':
$proxySSL = trim($GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL']);
if ($proxySSL === '*') {
$proxySSL = $GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'];
}
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
$retVal = true;
} else {
$retVal = $_SERVER['SSL_SESSION_ID'] || strtolower($_SERVER['HTTPS']) === 'on' || (string)$_SERVER['HTTPS'] === '1';
}
break;
Setting "lockSSL" to true causes an endless loop as our server is already configured for https, but because the TYPO3_SSL returns false (see above) it assumes you are still in http and thus it redirects.
We fixed it by setting the variable based on our own variable using .htaccess, but better solution would be to make the server variable configurable, so it is possible to use your own variable in the TYPO3_SSL check.
Our fix:
RewriteCond "%{HTTP:X-ClientHTTPS}" 1
RewriteRule .* - [E=HTTPS:on]
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by