[wp-trac] [WordPress Trac] #31288: IS_SSL should check return true for SSL Terminated load balancing
WordPress Trac
noreply at wordpress.org
Wed Feb 11 02:42:08 UTC 2015
#31288: IS_SSL should check return true for SSL Terminated load balancing
-----------------------------+------------------------------
Reporter: bretterer | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch close | Focuses:
-----------------------------+------------------------------
Comment (by chaoix):
What about in addition to checking the X-Forwarded-Proto header we also
check Remote-Addr, a server set header against a filtered array of
whitelisted load balancer IP addresses since the issue here isn't whether
to use the X-Forwarded-Proto header but verifying the identity of the
server sending it and the ability to not have load balancer heading checks
enabled by default.
I am not convinced header manipulation is a not real concern though for
this use case. Using the load balancer use case, the only traffic sent to
the web server is through a VPN connection between the load balancers and
the web servers. It is not possible for the web server to be access via
port 80 directly.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31288#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list