Force HTTPS if the original port is 443 behind a reverse proxy

Fixes #1022
2017-11-17 19:04:14 +01:00 · 2017-11-17 19:04:14 +01:00 · 8e9fc6f6e6
commit 8e9fc6f6e6
parent 844be5d556
2 changed files with 39 additions and 0 deletions
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@ -302,6 +302,13 @@ function server_url($server)
                $port = $server['HTTP_X_FORWARDED_PORT'];
            }

+            // This is a workaround for proxies that don't forward the scheme properly.
+            // Connecting over port 443 has to be in HTTPS.
+            // See https://github.com/shaarli/Shaarli/issues/1022
+            if ($port == '443') {
+                $scheme = 'https';
+            }
+
            if (($scheme == 'http' && $port != '80')
                || ($scheme == 'https' && $port != '443')
            ) {
--- a/tests/HttpUtils/ServerUrlTest.php
+++ b/tests/HttpUtils/ServerUrlTest.php
@ -186,4 +186,36 @@ public function testStandardHttpsPort()
            )
        );
    }
+
+    /**
+     * Misconfigured server (see #1022): Proxy HTTP but 443
+     */
+    public function testHttpWithPort433()
+    {
+        $this->assertEquals(
+            'https://host.tld',
+            server_url(
+                array(
+                    'HTTPS' => 'Off',
+                    'SERVER_NAME' => 'host.tld',
+                    'SERVER_PORT' => '80',
+                    'HTTP_X_FORWARDED_PROTO' => 'http',
+                    'HTTP_X_FORWARDED_PORT' => '443'
+                )
+            )
+        );
+
+        $this->assertEquals(
+            'https://host.tld',
+            server_url(
+                array(
+                    'HTTPS' => 'Off',
+                    'SERVER_NAME' => 'host.tld',
+                    'SERVER_PORT' => '80',
+                    'HTTP_X_FORWARDED_PROTO' => 'https, http',
+                    'HTTP_X_FORWARDED_PORT' => '443, 80'
+                )
+            )
+        );
+    }
 }