You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Call Yii::$app->getRequest()->getIsSecureConnection() when $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https,http'
What is the expected result?
true
What do you get instead?
false
Additional info
X_FORWARDED_PROTO is a de-facto rather than a canonical http field. It seems the common definition is to add, as comma-separated values, the different protocols used when multiple proxies lie in front of your application. (See https://en.wikipedia.org/wiki/X-Forwarded-For#Format)
I think it makes the most sense for the connection to be considered secure if the Edge node (first step in the chain) is secure, because that's the most common use case. An example would be terminating SSL at an external load balancer / cdn, and forwarding over HTTP to an internal load-balancer.
The text was updated successfully, but these errors were encountered:
What steps will reproduce the problem?
Call Yii::$app->getRequest()->getIsSecureConnection() when $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https,http'
What is the expected result?
true
What do you get instead?
false
Additional info
X_FORWARDED_PROTO is a de-facto rather than a canonical http field. It seems the common definition is to add, as comma-separated values, the different protocols used when multiple proxies lie in front of your application. (See https://en.wikipedia.org/wiki/X-Forwarded-For#Format)
I think it makes the most sense for the connection to be considered secure if the Edge node (first step in the chain) is secure, because that's the most common use case. An example would be terminating SSL at an external load balancer / cdn, and forwarding over HTTP to an internal load-balancer.
The text was updated successfully, but these errors were encountered: