Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#1116] - Improved SSL (https) detection

Failure

User tests: Successful: Unsuccessful:

avatar ghost
ghost
8 May 2013

Tracker item: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=30885

Some SSL (https) servers/setups do not have the $_SERVER['HTTPS'] variable to on.
But they do have a $_SERVER['HTTP_X_FORWARDED_PROTO'] value set to 'https'.

See for more details: puma/puma#200

This PR adds a check for that variable to the isSSLConnection method.
It also adds a few more checks and makes the whole thing more solid.

Also I have replaced some inline checks in other code to use this isSSLConnection method instead (= DRY).

Test instructions

Test if the different JUri methods and other functionalities that rely on SSL still work. And more-so if they now work on setups that use that HTTP_X_FORWARDED_PROTO var.

Things you can check (on SLL urls):

<?php
$uri = JUri::getInstance();
echo '<p>JUri Scheme = ' . $uri->toString(array('scheme')) . '</p>' . "\n"; // should be 'https://'
echo '<p>JUri Root = ' . JUri::root() . '</p>' . "\n"; // should start with 'https://'
echo '<p>isSSLConnection = ' . (JFactory::getApplication()->isSSLConnection() ? 'true' : 'false') . '</p>' . "\n"; // should be 'true'
?>
avatar nonumber nonumber - open - 8 May 2013
avatar nicksavov
nicksavov - comment - 8 May 2013

Thanks for coding this, Peter!

For anyone interested, here's the tracker item for it:
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=30885

avatar nonumber
nonumber - comment - 25 Jun 2013

Not sure how to fix the test. It is failing because the code is calling JFactory::getApplication()->isSSLConnection() which should work. So something missing in the test suite.

avatar nonumber nonumber - close - 4 Oct 2013
avatar nonumber nonumber - head_ref_deleted - 4 Oct 2013
avatar xtech86
xtech86 - comment - 30 Dec 2014

Is there any update on this?

A few hosts are now starting to use this protocol more to reduce down time with IP changes. I've had to manually hack files to apply this, which is bad. But without it the site will not function under https.

Thanks
Tony

avatar nonumber
nonumber - comment - 30 Dec 2014

See :http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=30885

Please close as there seems to be no interest in this.

avatar xtech86
xtech86 - comment - 30 Dec 2014

I saw that, but was hoping it was prior to the git repo.

I have been able to restore the files and come up with a workaround using:

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

However, this is a global setup. In the ideal world Joomla! would support this because Cloudflare and hosts like tsohost use the HTTP:X-Forwarded-Proto protocol.

As we all know, Joomla! want's to become easier to use. Having to implement .htaccess rewrite rules to an average user is not easy when we can implement a solution at the core level.

avatar brianteeman
brianteeman - comment - 30 Dec 2014

What issue are you having with cloudflare? I use them with https on my
personal site and havent seen any issues

On 30 December 2014 at 11:05, Tony Partridge notifications@github.com
wrote:

I saw that, but was hoping it was prior to the git repo.

I have been able to restore the files and come up with a workaround using:

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

However, this is a global setup. In the ideal world Joomla! would support
this because Cloudflare and hosts like tsohost use the
HTTP:X-Forwarded-Proto protocol.

As we all know, Joomla! want's to become easier to use. Having to
implement .htaccess rewrite rules to an average user is not easy when we
can implement a solution at the core level.


Reply to this email directly or view it on GitHub
#1116 (comment).

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar xtech86
xtech86 - comment - 30 Dec 2014

Cloudflare works perfectly fine if your own site has SSL installed.

But many budget users who are just using the new Cloudflare flexible ssl have issues as the server doesn't have a valid SSL if you force SSL it goes into a redirect loop as it's looking for the server https, not the forwarded-proto.

If we use the HTTP:X-Forwarded-Proto to detect it's coming from SSL we can avoid the redirect loop and have a fully functioning site.

avatar brianteeman
brianteeman - comment - 30 Dec 2014

I am really not convinced about their flexible ssl but thats a different
issue

I suggest you open a NEW issue as Peter closed this one and removed his
pull request

On 30 December 2014 at 11:32, Tony Partridge notifications@github.com
wrote:

Cloudflare works perfectly fine if your own site has SSL installed.

But many budget users who are just using the new Cloudflare flexible ssl
have issues as the server doesn't have a valid SSL if you force SSL it goes
into a redirect loop as it's looking for the server https, not the
forwarded-proto.

If we use the HTTP:X-Forwarded-Proto to detect it's coming from SSL we can
avoid the redirect loop and have a fully functioning site.


Reply to this email directly or view it on GitHub
#1116 (comment).

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar xtech86
xtech86 - comment - 30 Dec 2014

Thanks Brian, Now done:
#5561

Add a Comment

Login with GitHub to post a comment