• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Detecting HTTPS

semprot

Active member
#1
File :
Code:
/library/Zend/Controller/Request/Http.php
line 1013

PHP:
/**
     * Get the request URI scheme
     *
     * @return string
     */
    public function getScheme()
    {
        return ($this->getServer('HTTPS') == 'on') ? self::SCHEME_HTTPS : self::SCHEME_HTTP;
    }
When using https, on certain condition, _SERVER['HTTPS'] does not exist, even my _SERVER["SERVER_PORT"] is 80 (not 443).
I use:
  • cloudflare flexible SSL (maybe this is why 'HTTPS' does not exist').
  • litespeed.

Solution :
You also should consider to check _SERVER["HTTP_X_FORWARDED_PROTO"]

On https :
_SERVER["HTTP_X_FORWARDED_PROTO"] => 'https'

On http :
_SERVER["HTTP_X_FORWARDED_PROTO"] => 'http'

Solution in code :
PHP:
/**
     * Get the request URI scheme
     *
     * @return string
     */
    public function getScheme()
    {
        if ($this->getServer('HTTPS') == 'on') {
            return self::SCHEME_HTTPS;
        }
        if ($this->getServer('SERVER_PORT') == '443') {
            return self::SCHEME_HTTPS;
        }
        if (strtolower($this->getServer('HTTP_X_FORWARDED_PROTO')) == 'https') {
            return self::SCHEME_HTTPS;
        }
        return self::SCHEME_HTTP;
    }
 

Mike

XenForo developer
Staff member
#2
Those aren't strictly reliable. The HTTPS environment/server variable is what should be set.

In your particular case, the site isn't actually being accessed via SSL which is thus what is being picked up.
 

semprot

Active member
#3
Those aren't strictly reliable. The HTTPS environment/server variable is what should be set.

In your particular case, the site isn't actually being accessed via SSL which is thus what is being picked up.
In the browser, i still use https, although it is not a real SSL cert.
 
#4
Same problem happens when SSL is terminated at a load balancer like an F5. Is there a way to implement this without hacking the Zend http request class?
 

digitalpoint

Well-known member
#6
Even better (and more secure) would be to use at least a self-signed SSL certificate on your server and set CloudFlare's SSL settings to Full (or Strict if you have a valid SSL cert from a signing authority).

Using CloudFlare's "Flexible" SSL setting does not encrypt traffic between your server and CloudFlare.

upload_2015-4-3_12-40-35.png

Full SSL (strict): Encrypts the connection between your site visitors and CloudFlare, and from CloudFlare to your server.

Full SSL:
Encrypts the connection between your site visitors and CloudFlare, and from CloudFlare to your server. The difference between Full and Full (Strict) is that Full (Strict) checks for a valid certificate on your origin server, whereas Full checks for any certificate.

Flexible SSL:
There is an encrypted connection between your site visitors and CloudFlare, but not from CloudFlare to your server.
Tricking your server into thinking it's using HTTPS via config file is possible, but I'd still recommend actually *using* SSL if possible (simply for security's sake).