[wp-trac] [WordPress Trac] #31288: IS_SSL should check return true for SSL Terminated load balancing

WordPress Trac noreply at wordpress.org
Tue Feb 10 23:47:06 UTC 2015

#31288: IS_SSL should check return true for SSL Terminated load balancing
 Reporter:  bretterer     |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:

Comment (by dd32):

 Part of the problem with relying upon headers from untrusted downstreams
 (which is effectively what you're suggesting) is that it's then possible
 to bypass any SSL-only settings done in WordPress.
 A MITM proxy could force it to HTTP, add the header, allow someone to
 login over HTTP (because is_ssl() is now true) on this SSL-only site, and
 then, well you get the picture..

 The hard part is validating that the header is actually coming from a
 trusted source, which is why we suggest that this is a server
 configuration error.
 Of course, it's becoming far more common for a LB/HTTPS proxy to be
 sitting in front of sites, the good news is that most of these commercial
 SSL proxies will rewrite the page on-the-fly to convert any HTTP resources
 to HTTPS.
 Many private LB's which terminate SSL on the edge however, do not rewrite
 these things, and this is the exact scenario where some server
 configuration is needed to make the WordPress environment match your
 actual environment (see #19337 for some examples of code).

 WordPress could of course add a No SSL / Could be SSL / Definitely SSL to
 the mix, but that then introduces complexity, as suddenly some SSL things
 work, but others which require SSL to be enabled don't, and it's a mystery
 to the admin as to why.

 If there's a way to work around everything mentioned here, and being
 straight forward to use by all users, we'd have done it already.. but I'm
 all ears on how you think we can achieve it.

Ticket URL: <https://core.trac.wordpress.org/ticket/31288#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list