[wp-trac] [WordPress Trac] #31288: IS_SSL should check return true for SSL Terminated load balancing
WordPress Trac
noreply at wordpress.org
Tue Sep 8 22:40:35 UTC 2015
#31288: IS_SSL should check return true for SSL Terminated load balancing
--------------------------+----------------------
Reporter: bretterer | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 2.6
Severity: normal | Resolution: wontfix
Keywords: has-patch | Focuses:
--------------------------+----------------------
Comment (by webaware):
I second johnbillion above, this is not something you want to handle in
core. It is too specific to the hosting environment, and it's too easy to
forge headers.
FWIW, it's not as simple as supporting `HTTP_X_FORWARDED_PROTO` either, as
different hosts present different variables to signify HTTPS, e.g.
* `HTTP_X_FORWARDED_PROTO` as 'https'
* `HTTP_X_FORWARDED_SSL` as 'on'
* `HTTP_X_FORWARDED_SSL` as '1'
* `HTTP_CF_VISITOR` as '{"scheme":"https"}' (CloudFlare Flexible SSL)
NB: I believe that CloudFlare Flexible SSL now also sets
`HTTP_X_FORWARDED_PROTO`, which it transmits across the unsecured Internet
over HTTP, thus demonstrating how easy it is to forge such headers.
There are existing plugins that handle these specific configurations
already (e.g. https://wordpress.org/plugins/cloudflare-flexible-ssl/, my
https://wordpress.org/plugins/ssl-insecure-content-fixer/) and it's very
easy to create a site-specific fix either directly in `wp-config.php` or
as a small plugin. Trying to handle it in core can, I believe, only
complicate matters.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31288#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list