diff --git a/control/Director.php b/control/Director.php index 2648c541f..eaa49dace 100644 --- a/control/Director.php +++ b/control/Director.php @@ -414,11 +414,22 @@ class Director implements TemplateGlobalProvider { * @return String */ public static function protocol() { - if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])&&strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])=='https') { - return "https://"; + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') { + // Convention for (non-standard) proxy signaling a HTTPS forward, + // see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields + return 'https://'; + } else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') { + // Less conventional proxy header + return 'https://'; + } else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') { + // Microsoft proxy convention: https://support.microsoft.com/?kbID=307347 + return 'https://'; + } else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) { + return 'https://'; + } else if (isset($_SERVER['SSL'])) { + return 'https://'; } - return (isset($_SERVER['SSL']) || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) - ? 'https://' : 'http://'; + return 'http://'; } /** diff --git a/control/HTTP.php b/control/HTTP.php index e400c97db..0aa16607e 100644 --- a/control/HTTP.php +++ b/control/HTTP.php @@ -343,7 +343,7 @@ class HTTP { // By also using and etag that includes both the modification date and all the varies // values which we also check against we can catch this and not return a 304 $etagParts = array(self::$modification_date, serialize($_COOKIE)); - if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) $etagParts[] = $_SERVER['HTTP_X_FORWARDED_PROTOCOL']; + $etagParts[] = Director::protocol(); if (isset($_SERVER['HTTP_USER_AGENT'])) $etagParts[] = $_SERVER['HTTP_USER_AGENT']; if (isset($_SERVER['HTTP_ACCEPT'])) $etagParts[] = $_SERVER['HTTP_ACCEPT']; diff --git a/core/startup/ParameterConfirmationToken.php b/core/startup/ParameterConfirmationToken.php index 081b3d664..2768661ac 100644 --- a/core/startup/ParameterConfirmationToken.php +++ b/core/startup/ParameterConfirmationToken.php @@ -76,16 +76,24 @@ class ParameterConfirmationToken { protected function currentAbsoluteURL() { global $url; - // Are we http or https? - $proto = 'http'; - - if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) { - if(strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') $proto = 'https'; + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') { + // Convention for (non-standard) proxy signaling a HTTPS forward, + // see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields + $proto = 'https'; + } else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') { + // Less conventional proxy header + $proto = 'https'; + } else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') { + // Microsoft proxy convention: https://support.microsoft.com/?kbID=307347 + $proto = 'https'; + } else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) { + $proto = 'https'; + } else if (isset($_SERVER['SSL'])) { + $proto = 'https'; + } else { + $proto = 'http'; } - if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) $proto = 'https'; - if(isset($_SERVER['SSL'])) $proto = 'https'; - $parts = array_filter(array( // What's our host $_SERVER['HTTP_HOST'],