Infinite redirect when PiwiGo is behind reverse proxy

[jfstenuit]

The plugin does not handle the case where it is installed behind a reverse proxy handling the TLS termination. The logic to detect whether or not we're running HTTPS should take care of three situations :

• isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'
• !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'
• !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on'

When considering only the $_SERVER['HTTPS'] case, like in main.inc.php on lines 122 and 134, you can't properly detect if we are running under HTTPS or not.

You may want to add an option to allow the scan for HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_SSL only if the admin flags the usage behind a reverse proxy. Otherwise, there is a possibility that an attacker bypass the "force https" protection just by setting those flags in the header.

[DJeremyy]

I have same error. Add HTTP_X_FORWARDED_PROTO is a good solution.