Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support https behind reverse proxies (HTTP_X_FORWARDED_PROTO) #37

Closed
GoogleCodeExporter opened this issue Jul 6, 2015 · 3 comments
Closed

Support https behind reverse proxies (HTTP_X_FORWARDED_PROTO) #37

GoogleCodeExporter opened this issue Jul 6, 2015 · 3 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

Suppose you use a reverse proxy to dispatch requests to different servers and 
suppose that your site uses https. Then the dispatcher needs to forward the 
request and the information about the protocol gets lost. On the server behind 
the dispatcher $_SERVER['HTTPS'] is empty.

To solve this issue it looks like an established convention that site 
adminstrators that need reverse proxies and https in their server setup 
introduce the server variable HTTP_X_FORWARDED_PROTO to make the 'real' 
protocol of the client visible to the servers behind the proxy. If you would 
substitute line 73


$this->trustRoot = ((empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') ? 
'http' : 'https') . '://' . $_SERVER['HTTP_HOST'];


with the following code:


        if(!empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {
            $this->trustRoot = 'https://'.$_SERVER['HTTP_HOST'];
        } else {
            $this->trustRoot = 'http://'.$_SERVER['HTTP_HOST'];
        }

then lightopenid can be used behind reverse proxies and with https.
Just setting the realm/trustRoot manually using the api did not work for me as 
then the validate method failed. If there is a better way to go, please tell me.

Best regards and thanks for providing this library
Silvan

Original issue reported on code.google.com by silvango...@gmail.com on 20 Apr 2011 at 9:44
@GoogleCodeExporter
Copy link
Author 

I will make the change so that it'll be done automatically.

However, I wonder why setting the realm didn't work. Did you also set it before 
calling validate()?

Original comment by mewp...@gmail.com on 20 Apr 2011 at 10:03

  • Changed state: Started

@GoogleCodeExporter
Copy link
Author 

Thanks for your amazingly fast support!
Yes, when testing I set the realm both before the redirect and before validate. 
Not sure why it didn't work, but it's possible that it should have worked and I 
did some error/typo/whatever.

Original comment by silvango...@gmail.com on 20 Apr 2011 at 10:17

@GoogleCodeExporter
Copy link
Author 

See the latest commit.

Original comment by mewp...@gmail.com on 21 Apr 2011 at 7:19

  • Changed state: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter