API Fix HTTPS proxy header detection (Same as #3152)

Didn't use the de facto standard HTTP_X_FORWARDED_PROTO or the less standard HTTP_FRONT_END_HTTPS.
Removed the 'X-Forwarded-Proto', since PHP should prefix/underscore all HTTP headers before it hits $_SERVER.

References:
- https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
- https://drupal.org/node/1859252
- https://drupal.org/node/313145
- http://scottwb.com/blog/2013/02/06/always-on-https-with-rails-behind-an-elb/
This commit is contained in:
Stephen Shkardoon 2014-11-25 03:21:36 +13:00
parent 1661213e5b
commit b3407abe4b
3 changed files with 32 additions and 13 deletions

View File

@ -414,11 +414,22 @@ class Director implements TemplateGlobalProvider {
* @return String * @return String
*/ */
public static function protocol() { public static function protocol() {
if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])&&strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])=='https') { if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
return "https://"; // Convention for (non-standard) proxy signaling a HTTPS forward,
// see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
return 'https://';
} else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') {
// Less conventional proxy header
return 'https://';
} else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') {
// Microsoft proxy convention: https://support.microsoft.com/?kbID=307347
return 'https://';
} else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) {
return 'https://';
} else if (isset($_SERVER['SSL'])) {
return 'https://';
} }
return (isset($_SERVER['SSL']) || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) return 'http://';
? 'https://' : 'http://';
} }
/** /**

View File

@ -343,7 +343,7 @@ class HTTP {
// By also using and etag that includes both the modification date and all the varies // By also using and etag that includes both the modification date and all the varies
// values which we also check against we can catch this and not return a 304 // values which we also check against we can catch this and not return a 304
$etagParts = array(self::$modification_date, serialize($_COOKIE)); $etagParts = array(self::$modification_date, serialize($_COOKIE));
if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) $etagParts[] = $_SERVER['HTTP_X_FORWARDED_PROTOCOL']; $etagParts[] = Director::protocol();
if (isset($_SERVER['HTTP_USER_AGENT'])) $etagParts[] = $_SERVER['HTTP_USER_AGENT']; if (isset($_SERVER['HTTP_USER_AGENT'])) $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
if (isset($_SERVER['HTTP_ACCEPT'])) $etagParts[] = $_SERVER['HTTP_ACCEPT']; if (isset($_SERVER['HTTP_ACCEPT'])) $etagParts[] = $_SERVER['HTTP_ACCEPT'];

View File

@ -76,16 +76,24 @@ class ParameterConfirmationToken {
protected function currentAbsoluteURL() { protected function currentAbsoluteURL() {
global $url; global $url;
// Are we http or https? if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https') {
$proto = 'http'; // Convention for (non-standard) proxy signaling a HTTPS forward,
// see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
if(isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) { $proto = 'https';
if(strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') $proto = 'https'; } else if (isset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTOCOL']) == 'https') {
// Less conventional proxy header
$proto = 'https';
} else if (isset($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on') {
// Microsoft proxy convention: https://support.microsoft.com/?kbID=307347
$proto = 'https';
} else if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) {
$proto = 'https';
} else if (isset($_SERVER['SSL'])) {
$proto = 'https';
} else {
$proto = 'http';
} }
if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')) $proto = 'https';
if(isset($_SERVER['SSL'])) $proto = 'https';
$parts = array_filter(array( $parts = array_filter(array(
// What's our host // What's our host
$_SERVER['HTTP_HOST'], $_SERVER['HTTP_HOST'],