[wp-trac] [WordPress Trac] #28443: SSL behind a load balancer
WordPress Trac
noreply at wordpress.org
Tue Jun 3 22:01:43 UTC 2014
#28443: SSL behind a load balancer
--------------------------+----------------------
Reporter: lracicot | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
--------------------------+----------------------
Changes (by nacin):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
Replying to [ticket:28443 lracicot]:
> The solution suggested in the codex
(http://codex.wordpress.org/Function_Reference/is_ssl) is to manually set
the php server variable 'HTTPS', but this is not a good practice.
I'd argue it's not a bad practice to keep the application ignorant of the
overall proxying setup. This is ultimately an environment configuration
issue; the application shouldn't need to figure out how the headers are
forwarded (X-Forwarded-* is a de facto standard, but I've seen SSL in
particular be forwarded in a number of ways), or whether they can be
trusted (an X-* header can simply be set by the client, with no way of
knowing if it came from a proxy).
Security aside (which is a dealbreaker), there is also a risk of infinite
redirects for suddenly obeying these fields.
See also: #9235, #15009, #15733, #19337, #24394, etc.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28443#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list