1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Detecting HTTPS

Discussion in 'Resolved Bug Reports' started by semprot, Jan 6, 2015.

  1. semprot

    semprot Active Member

    File :
    Code:
    /library/Zend/Controller/Request/Http.php
    
    line 1013

    PHP:
    /**
         * Get the request URI scheme
         *
         * @return string
         */
        
    public function getScheme()
        {
            return (
    $this->getServer('HTTPS') == 'on') ? self::SCHEME_HTTPS self::SCHEME_HTTP;
        }
    When using https, on certain condition, _SERVER['HTTPS'] does not exist, even my _SERVER["SERVER_PORT"] is 80 (not 443).
    I use:
    • cloudflare flexible SSL (maybe this is why 'HTTPS' does not exist').
    • litespeed.

    Solution :
    You also should consider to check _SERVER["HTTP_X_FORWARDED_PROTO"]

    On https :
    _SERVER["HTTP_X_FORWARDED_PROTO"] => 'https'

    On http :
    _SERVER["HTTP_X_FORWARDED_PROTO"] => 'http'

    Solution in code :
    PHP:
    /**
         * Get the request URI scheme
         *
         * @return string
         */
        
    public function getScheme()
        {
            if (
    $this->getServer('HTTPS') == 'on') {
                return 
    self::SCHEME_HTTPS;
            }
            if (
    $this->getServer('SERVER_PORT') == '443') {
                return 
    self::SCHEME_HTTPS;
            }
            if (
    strtolower($this->getServer('HTTP_X_FORWARDED_PROTO')) == 'https') {
                return 
    self::SCHEME_HTTPS;
            }
            return 
    self::SCHEME_HTTP;
        }
     
  2. Mike

    Mike XenForo Developer Staff Member

    Those aren't strictly reliable. The HTTPS environment/server variable is what should be set.

    In your particular case, the site isn't actually being accessed via SSL which is thus what is being picked up.
     
    Tracy Perry likes this.
  3. semprot

    semprot Active Member

    In the browser, i still use https, although it is not a real SSL cert.
     
  4. Erik P.

    Erik P. Member

    Same problem happens when SSL is terminated at a load balancer like an F5. Is there a way to implement this without hacking the Zend http request class?
     
  5. Jeremy P

    Jeremy P Well-Known Member

    Couldn't you just stick something like...
    PHP:
    if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
        
    $_SERVER['HTTPS'] = 'on';
    }
    ...in your config.php?
     
    semprot and Erik P. like this.
  6. digitalpoint

    digitalpoint Well-Known Member

    Even better (and more secure) would be to use at least a self-signed SSL certificate on your server and set CloudFlare's SSL settings to Full (or Strict if you have a valid SSL cert from a signing authority).

    Using CloudFlare's "Flexible" SSL setting does not encrypt traffic between your server and CloudFlare.

    upload_2015-4-3_12-40-35.png

    Tricking your server into thinking it's using HTTPS via config file is possible, but I'd still recommend actually *using* SSL if possible (simply for security's sake).
     

Share This Page