make sure we prefer forwarded proto header over regular header (#10081)

core/Url.php

@@ -711,6 +711,10 @@ public static function isSecureConnectionAssumedByPiwikButNotForcedYet()
      */
     protected static function getCurrentSchemeFromRequestHeader()
     {
+        if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'http') {
+            return 'http';
+        }
+
         if ((isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] === true))
             || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
         ) {

tests/PHPUnit/Unit/UrlTest.php

@@ -72,6 +72,43 @@ public function testGetCurrentHost($description, $test)
         $this->assertEquals($test[4], Url::getCurrentHost(), $description);
     }
 
+    /**
+     * @dataProvider getProtocol
+     */
+    public function test_getCurrentScheme_ProtoHeaderShouldPrecedenceHttpsHeader($proto)
+    {
+        $_SERVER['HTTPS'] = 'on';
+        $_SERVER['HTTP_X_FORWARDED_PROTO'] = $proto;
+        $this->assertEquals($proto, Url::getCurrentScheme());
+
+        unset($_SERVER['HTTP_X_FORWARDED_PROTO']);
+        unset($_SERVER['HTTPS']);
+    }
+
+    /**
+     * @dataProvider getProtocol
+     */
+    public function test_getCurrentScheme_shouldDetectSecureFromHttpsHeader()
+    {
+        $_SERVER['HTTPS'] = 'on';
+        $this->assertEquals('https', Url::getCurrentScheme());
+
+        unset($_SERVER['HTTPS']);
+    }
+
+    /**
+     * @dataProvider getProtocol
+     */
+    public function test_getCurrentScheme_shouldBeHttpByDefault()
+    {
+        $this->assertEquals('http', Url::getCurrentScheme());
+    }
+
+    public function getProtocol()
+    {
+        return array(array('http'), array('https'));
+    }
+
     /**
      * Dataprovider for testIsLocalUrl
      */