| Issue 37: | Support https behind reverse proxies (HTTP_X_FORWARDED_PROTO) | |
| 1 person starred this issue and may be notified of changes. | Back to list |
Suppose you use a reverse proxy to dispatch requests to different servers and suppose that your site uses https. Then the dispatcher needs to forward the request and the information about the protocol gets lost. On the server behind the dispatcher $_SERVER['HTTPS'] is empty.
To solve this issue it looks like an established convention that site adminstrators that need reverse proxies and https in their server setup introduce the server variable HTTP_X_FORWARDED_PROTO to make the 'real' protocol of the client visible to the servers behind the proxy. If you would substitute line 73
$this->trustRoot = ((empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') ? 'http' : 'https') . '://' . $_SERVER['HTTP_HOST'];
with the following code:
if(!empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {
$this->trustRoot = 'https://'.$_SERVER['HTTP_HOST'];
} else {
$this->trustRoot = 'http://'.$_SERVER['HTTP_HOST'];
}
then lightopenid can be used behind reverse proxies and with https.
Just setting the realm/trustRoot manually using the api did not work for me as then the validate method failed. If there is a better way to go, please tell me.
Best regards and thanks for providing this library
Silvan
Apr 20, 2011
Project Member
#1
mewp...@gmail.com
Status:
Started
Apr 20, 2011
Thanks for your amazingly fast support! Yes, when testing I set the realm both before the redirect and before validate. Not sure why it didn't work, but it's possible that it should have worked and I did some error/typo/whatever.
Apr 21, 2011
See the latest commit.
Status:
Fixed
|