Deltik
commented
2 years ago e107 believes that it is loaded over HTTPS if $_SERVER['HTTPS'] is not empty and not set to the string off or if $_SERVER['SERVER_PORT'] is set to the integer 443. (Source)
TLS termination by reverse proxy detection can be improved by checking $_SERVER['HTTP_X_FORWARDED_PROTO'], assuming that the reverse proxy is sending an X-Forwarded-Proto header, but e107 is not currently doing that.
As a workaround for the time being, I think if you add the following code snippet and pass the X-Forwarded-Proto header, you should be able to get the intended "forced" HTTPS URLs:
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
{
$_SERVER['HTTPS'] = 'on';
}
nesjett
Bug Description
When using e107 in a server behind a reverse proxy, the proxy and the web server communicate in http, without ssl certs, although, the communication between the client browser and the reverse proxy uses ssl properly.
The issue is that It seems e107 detects the communication as http and generates the resulting site using unsecure urls for all links and forms.
A possible solution would be to enable an option to force using https urls always (the preferences option "use ssl only" is not working either because It's deactivated saying "View this page using https (SSL) to modify this option" -> In fact I'm accessing the web in https, but as I already stated, e107 can't detect It.
This issue is difficulting deployments in kubernetes environments.
Greetings,