Issue 37: Support https behind reverse proxies (HTTP_X_FORWARDED_PROTO)
Status:  Fixed
Owner: ----
Closed:  Apr 2011
Reported by silvango...@gmail.com, Apr 20, 2011
Suppose you use a reverse proxy to dispatch requests to different servers and suppose that your site uses https. Then the dispatcher needs to forward the request and the information about the protocol gets lost. On the server behind the dispatcher $_SERVER['HTTPS'] is empty.

To solve this issue it looks like an established convention that site adminstrators that need reverse proxies and https in their server setup introduce the server variable HTTP_X_FORWARDED_PROTO to make the 'real' protocol of the client visible to the servers behind the proxy. If you would substitute line 73


$this->trustRoot = ((empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') ? 'http' : 'https') . '://' . $_SERVER['HTTP_HOST'];
        

with the following code:


        if(!empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {
            $this->trustRoot = 'https://'.$_SERVER['HTTP_HOST'];
        } else {
            $this->trustRoot = 'http://'.$_SERVER['HTTP_HOST'];
        }

then lightopenid can be used behind reverse proxies and with https.
Just setting the realm/trustRoot manually using the api did not work for me as then the validate method failed. If there is a better way to go, please tell me.

Best regards and thanks for providing this library
Silvan
Apr 20, 2011
Project Member #1 mewp...@gmail.com
I will make the change so that it'll be done automatically.

However, I wonder why setting the realm didn't work. Did you also set it before calling validate()?
Status: Started
Apr 20, 2011
#2 silvango...@gmail.com
Thanks for your amazingly fast support!
Yes, when testing I set the realm both before the redirect and before validate. Not sure why it didn't work, but it's possible that it should have worked and I did some error/typo/whatever.
Apr 21, 2011
Project Member #3 mewp...@gmail.com
See the latest commit.
Status: Fixed