[wp-trac] [WordPress Trac] #31288: IS_SSL should check return true for SSL Terminated load balancing
WordPress Trac
noreply at wordpress.org
Tue Feb 10 23:47:06 UTC 2015
#31288: IS_SSL should check return true for SSL Terminated load balancing
--------------------------+-----------------------
Reporter: bretterer | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+-----------------------
Comment (by dd32):
Part of the problem with relying upon headers from untrusted downstreams
(which is effectively what you're suggesting) is that it's then possible
to bypass any SSL-only settings done in WordPress.
A MITM proxy could force it to HTTP, add the header, allow someone to
login over HTTP (because is_ssl() is now true) on this SSL-only site, and
then, well you get the picture..
The hard part is validating that the header is actually coming from a
trusted source, which is why we suggest that this is a server
configuration error.
Of course, it's becoming far more common for a LB/HTTPS proxy to be
sitting in front of sites, the good news is that most of these commercial
SSL proxies will rewrite the page on-the-fly to convert any HTTP resources
to HTTPS.
Many private LB's which terminate SSL on the edge however, do not rewrite
these things, and this is the exact scenario where some server
configuration is needed to make the WordPress environment match your
actual environment (see #19337 for some examples of code).
WordPress could of course add a No SSL / Could be SSL / Definitely SSL to
the mix, but that then introduces complexity, as suddenly some SSL things
work, but others which require SSL to be enabled don't, and it's a mystery
to the admin as to why.
If there's a way to work around everything mentioned here, and being
straight forward to use by all users, we'd have done it already.. but I'm
all ears on how you think we can achieve it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31288#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list