Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#9756] - Joomla fallback to HTTP instead of HTTPS on NLB with empty live_site variable

J3 Issue ?
Referenced as Duplicate of: # 10086
avatar VELUX-eBusiness
VELUX-eBusiness
6 Apr 2016

Steps to reproduce the issue

  1. must have NLB
  2. make $live_site variable empty in the configuration.php
  3. check JUri::base() - it will return http:// as $_SERVER['https'] is not defined even by accessing the site via https protocol

Expected result

Joomla should correctly define http/https via NLB. Change JURi::base() to detect HTTPS by using HTTP_X_FORWARDED_PROTO instead.

Actual result

On NLB apache returns $_REQUEST[https] empty,by having live_site configuration variable not setted, fallback to the http protocol on https site.

System information (as much as possible)

PHP Built On Linux 3.0.101-0.47.71-default #1 SMP Thu Nov 12 12:22:22 UTC 2015 (b5b212e) x86_64
Database Version 5.5.47
PHP Version 5.3.17
Web Server Apache/2.2.12 (Linux/SUSE) PHP/5.3.17
WebServer to PHP Interface apache2handler
Joomla! Version Joomla! 3.4.6 Stable [ Ember ] 15-December-2015 11:11 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT

avatar VELUX-eBusiness VELUX-eBusiness - open - 6 Apr 2016
avatar brianteeman
brianteeman - comment - 6 Apr 2016

Excuse my ignorance - what is NLB?

avatar brianteeman brianteeman - change - 6 Apr 2016
Labels Added: ?
avatar VELUX-eBusiness
VELUX-eBusiness - comment - 6 Apr 2016

Hi Brian! Sorry for missed details. NLB is a Network Load Balancer.
http://stackoverflow.com/questions/11650640/why-isnt-serverhttps-set-to-1 here are some similar issues.
I think this part of the code fallback to the HTTP even if you are in HTTPS
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/uri/uri.php#L65-L67

avatar VELUX-eBusiness
VELUX-eBusiness - comment - 6 Apr 2016

Oh! I have just found this - exactly the same issue and looks like still not resolved
https://developer.joomla.org/joomlacode-archive/issue-30885.html

avatar brianteeman
brianteeman - comment - 6 Apr 2016

Following all the links from there takes me to
#5562

avatar brianteeman brianteeman - change - 13 Apr 2016
Category Libraries Router / SEF
avatar PhilETaylor
PhilETaylor - comment - 19 May 2016

Basically the SSL is terminated at the load balancer, (The load balancer holds the SSL Certificate and intercepts all traffic on https/443 and then acts as a proxy to the webserver on http/80) and then all traffic from the load balancer to the web server is NOT https (and therefor theoretically insecure data passed over a network from the load balancer to the web server) as the web server is running Joomla on standard http/80

Seen this repeatedly over the years

avatar PhilETaylor
PhilETaylor - comment - 19 May 2016

Theoretically its an easy fix - but one that takes a lot of set up (network wise) to replicate, debug, and code for all cases, and a one that takes a lot of testing, for all known use case scenarios...

avatar joomla-cms-bot joomla-cms-bot - change - 5 Mar 2017
The description was changed
avatar joomla-cms-bot joomla-cms-bot - edited - 5 Mar 2017
avatar feltkamptv
feltkamptv - comment - 5 Mar 2017

This is still an issue! I have now fixed this by just bluntly adding $_SERVER['HTTPS'] = 'on'; in the main index.php file, because all traffic is forced to SSL anyways, but I am waiting for a solution!

I have my Joomla CMS on Amazon Elastic Beanstalk with PHP 7.0...

avatar franz-wohlkoenig franz-wohlkoenig - change - 6 Apr 2017
Status New Needs Review
avatar rdeutz rdeutz - change - 13 Nov 2017
Status Needs Review Pending
avatar westerterp
westerterp - comment - 20 Mar 2018

Is there any progress on this?
I am also having this issue (being behind a loadbalancer that offloads SSL, but I'm not on AWS).
My current workaround is placing $_SERVER['https'] = 'on'; at the top of my index.php but that solution might break after an update.

Any update would be much appreciated!

avatar brianteeman brianteeman - change - 25 Mar 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 25 Mar 2018
avatar westerterp
westerterp - comment - 17 May 2018

I've made a commit to joomla-framework/application (joomla-framework/application#82), which should resolve this.

Does someone know of any more places this should be fixed?
I was thinking about https://github.com/joomla-framework/uri/blob/master/src/AbstractUri.php -> isSSL(), but i don't know if it should be changed there.

avatar mbabker
mbabker - comment - 17 May 2018

The Uri object shouldn't be changed. That should be reporting the state of the URI which the object represents, not the global request.

avatar joomla-cms-bot joomla-cms-bot - change - 22 May 2019
Closed_By alikon joomla-cms-bot
Labels
avatar joomla-cms-bot joomla-cms-bot - close - 22 May 2019
avatar alikon alikon - change - 22 May 2019
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2019-05-22 10:33:06
Closed_By alikon
Labels
avatar joomla-cms-bot
joomla-cms-bot - comment - 22 May 2019

Set to "closed" on behalf of @alikon by The JTracker Application at issues.joomla.org/joomla-cms/9756

avatar alikon
alikon - comment - 22 May 2019

closing as joomla-framework/application#82 has been merged

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/9756.

avatar alikon
alikon - comment - 22 May 2019

closing as joomla-framework/application#82 has been merged

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/9756.

Add a Comment

Login with GitHub to post a comment