[wp-hackers] Make WP more usable behind load balancers/proxies

Hauke mailman at haukebruno.de
Wed Oct 16 07:40:27 UTC 2013 

Hi Nacin,

thanks for your advices. I will have a look at it.

-- 
Best regards,
Hauke
On Wednesday, October 16, 2013 12:32:19 AM Andrew Nacin wrote:
> On Tue, Oct 15, 2013 at 1:52 PM, Hauke <mailman at haukebruno.de> wrote:
> > is it possible to change code lines like
> > 
> > $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] .
> > $_SERVER['REQUEST_URI'] );
> > 
> > into something like this:
> > 
> > if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
> > 
> >   $serverhost = $_SERVER['HTTP_X_FORWARDED_HOST'];
> > 
> > } else {
> > 
> >    $serverhost = 'http://' . $_SERVER['HTTP_HOST'];
> > 
> > }
> > $current_url = set_url_scheme( $serverhost . $_SERVER['REQUEST_URI'] );
> 
> Many load balancers and proxy servers forward HTTP headers for HTTPS, IP
> addresses, and more. These typically take the form of HTTP_X_FORWARDED_FOR
> (X-Forwarded-For), for remote IP addresses, and HTTP_X_FORWARDED_PROTO
> (X-Forwarded-Proto), for whether traffic is going over the HTTPS protocol.
> Occasionally other information needs to be forwarded, like the server port
> or hostname.
> 
> If WordPress blindly listened to these headers — especially for protocols —
> there is a risk of infinite redirects and general breakage. To make matters
> worse, these are not formal standards, and are rather freeform. As a
> result, many web server and configurations do this differently. For
> example, one configuration might prepend “HTTP_”, resulting in HTTP_HTTPS.
> What should be done instead is a server should either pass properly mapped
> headers to PHP, or some code can do the mapping in wp-config.php. For
> example:
> 
> if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' ===
> $_SERVER['HTTP_X_FORWARDED_PROTO'] ) )
>     $_SERVER['HTTPS'] = 'on';
> 
> See also:
> http://core.trac.wordpress.org/ticket/9235
> http://core.trac.wordpress.org/ticket/15009
> http://core.trac.wordpress.org/ticket/15733
> http://core.trac.wordpress.org/ticket/19337
> http://core.trac.wordpress.org/ticket/24394
> etc.
> 
> Nacin
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list