mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
API Fix HTTPS proxy header detection (Same as #3152)
Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS. Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER. References: - https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header - https://drupal.org/node/1859252 - https://drupal.org/node/313145 - http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
This commit is contained in:
parent
1661213e5b
commit
b3407abe4b
@ -414,11 +414,22 @@ class Director implements TemplateGlobalProvider {
|
|||||||
* @return String
|
* @return String
|
||||||
*/
|
*/
|
||||||
public static function protocol() {
|
public static function protocol() {
|
||||||
if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])&&strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])=='https') {
|
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
|
||||||
return "https://";
|
// Convention for (non-standard) proxy signaling a HTTPS forward,
|
||||||
|
// see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
|
||||||
|
return 'https://';
|
||||||
|
} else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') {
|
||||||
|
// Less conventional proxy header
|
||||||
|
return 'https://';
|
||||||
|
} else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') {
|
||||||
|
// Microsoft proxy convention: https://support.microsoft.com/?kbID=307347
|
||||||
|
return 'https://';
|
||||||
|
} else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) {
|
||||||
|
return 'https://';
|
||||||
|
} else if (isset($_SERVER['SSL'])) {
|
||||||
|
return 'https://';
|
||||||
}
|
}
|
||||||
return (isset($_SERVER['SSL']) || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off'))
|
return 'http://';
|
||||||
? 'https://' : 'http://';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -343,7 +343,7 @@ class HTTP {
|
|||||||
// By also using and etag that includes both the modification date and all the varies
|
// By also using and etag that includes both the modification date and all the varies
|
||||||
// values which we also check against we can catch this and not return a 304
|
// values which we also check against we can catch this and not return a 304
|
||||||
$etagParts = array(self::$modification_date, serialize($_COOKIE));
|
$etagParts = array(self::$modification_date, serialize($_COOKIE));
|
||||||
if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) $etagParts[] = $_SERVER['HTTP_X_FORWARDED_PROTOCOL'];
|
$etagParts[] = Director::protocol();
|
||||||
if (isset($_SERVER['HTTP_USER_AGENT'])) $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
|
if (isset($_SERVER['HTTP_USER_AGENT'])) $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
|
||||||
if (isset($_SERVER['HTTP_ACCEPT'])) $etagParts[] = $_SERVER['HTTP_ACCEPT'];
|
if (isset($_SERVER['HTTP_ACCEPT'])) $etagParts[] = $_SERVER['HTTP_ACCEPT'];
|
||||||
|
|
||||||
|
@ -76,16 +76,24 @@ class ParameterConfirmationToken {
|
|||||||
protected function currentAbsoluteURL() {
|
protected function currentAbsoluteURL() {
|
||||||
global $url;
|
global $url;
|
||||||
|
|
||||||
// Are we http or https?
|
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
|
||||||
|
// Convention for (non-standard) proxy signaling a HTTPS forward,
|
||||||
|
// see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
|
||||||
|
$proto = 'https';
|
||||||
|
} else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') {
|
||||||
|
// Less conventional proxy header
|
||||||
|
$proto = 'https';
|
||||||
|
} else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') {
|
||||||
|
// Microsoft proxy convention: https://support.microsoft.com/?kbID=307347
|
||||||
|
$proto = 'https';
|
||||||
|
} else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) {
|
||||||
|
$proto = 'https';
|
||||||
|
} else if (isset($_SERVER['SSL'])) {
|
||||||
|
$proto = 'https';
|
||||||
|
} else {
|
||||||
$proto = 'http';
|
$proto = 'http';
|
||||||
|
|
||||||
if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) {
|
|
||||||
if(strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') $proto = 'https';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) $proto = 'https';
|
|
||||||
if(isset($_SERVER['SSL'])) $proto = 'https';
|
|
||||||
|
|
||||||
$parts = array_filter(array(
|
$parts = array_filter(array(
|
||||||
// What's our host
|
// What's our host
|
||||||
$_SERVER['HTTP_HOST'],
|
$_SERVER['HTTP_HOST'],
|
||||||
|
Loading…
Reference in New Issue
Block a user