New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update uri.php #8690
Update uri.php #8690
Conversation
Added additional validation code to support reverse proxies. Without this additional validation, a Joomla site set to force SSL on the entire site will go into an infinite redirect loop because the reverse proxy is sending the information to confirm SSL in the $_SERVER variable key 'HTTP_X_FORWARDED_PROTO', not the key 'HTTPS'.
This comment was marked as abuse.
This comment was marked as abuse.
@bpeterson69 will you fix this PR? |
I believe I have fixed the PR |
What do I need to do to get this patch moved into the base branch? |
This comment was marked as abuse.
This comment was marked as abuse.
The reason behind the PR is to prevent client browsers going into an infinite redirect loop when Joomla is set to require SSL. The problems presents itself when Apache is configured as a reverse proxy (Apple is deploying Apache as a reverse proxy in Server 5.0.15 and later). The $_SERVER array that Apache returns in this case does not have the key 'HTTPS'. The patch adds additional sanity checking to validate against a different key in the $_SERVER (the key is 'HTTP_X_FORWARDED_PROTO ') array to prevent an infinite redirect loop. The way the problem manifests itself is as follows:
The reason you get this error is the current version of uri.php checks for the value of $_SERVER['HTTPS'] to verify if the client is connecting via SSL. Here is what essentially happens at this point: The user loads the website, doesn't matter if it is HTTPS or HTTP. The uri.php file checks the variable $_SERVER['HTTPS'] to validate if the user has arrived at the site over SSL or not. Since the $_SERVER array does not have the key "'HTTPS', uri.php decides that the user has not arrived via HTTPS and forces the user to reload the page over SSL, again, the $_SERVER array does not have the key 'HTTPS' so again, Joomla assumes the user has not arrived via HTTPS and does the redirect again. This continues until the browser gives up and gives the error "To many redirects". The patch I have created leaves the original code in place for the validation of the $_SERVER['HTTPS']. It adds additional validation against the key the reverse proxy is returning in the $_SERVER array that indicated SSL or not. You can look at the contents of the $_SERVER array in the comment I made on Dec 22. I have received reports that Cloudflare uses reverse proxy as well and this patch resolves the issue. Please let me know if you need more information. |
Here are two messages I received on the patch (not sure why they aren't listed here).
and
|
Those comments are on your older issue of #7916 On 27 October 2016 at 00:02, bpeterson69 notifications@github.com wrote:
Brian Teeman |
Is this the same thing as https://www.simbunch.com/products/free-extensions/cloudflare-for-joomla |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
I was asking if the issue was the same more than is the solution the same But not installed it etc - its late but here you are On 27 October 2016 at 00:08, Phil Taylor notifications@github.com wrote:
Brian Teeman |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
I understand the concern. In this case, not implementing the patch protects people from creating a security issue that they my not be aware of if they don't deploy it properly. |
This comment was marked as abuse.
This comment was marked as abuse.
I have tested this item ✅ successfully on af3aad6 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8690. |
I have tested this item ✅ successfully on af3aad6 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8690. |
I have tested this item ✅ successfully on af3aad6 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8690. |
Would this be better deployed in a plugin similar to the cloudflare plugin? That plugin could be modified very easily to cover the $_SERVER key "HTTP_X_FORWARDED_PROTO". This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8690. |
I have tested this item ✅ successfully on af3aad6 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8690. |
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8690. |
* Update uri.php Added additional validation code to support reverse proxies. Without this additional validation, a Joomla site set to force SSL on the entire site will go into an infinite redirect loop because the reverse proxy is sending the information to confirm SSL in the $_SERVER variable key 'HTTP_X_FORWARDED_PROTO', not the key 'HTTPS'. * Update uri.php * Update uri.php * Update uri.php * Update uri.php
Added additional validation code to support reverse proxies. Without this additional validation, a Joomla site set to force SSL on the entire site will go into an infinite redirect loop because the reverse proxy is sending the information to confirm SSL in the $_SERVER variable key 'HTTP_X_FORWARDED_PROTO', not the key 'HTTPS'.