htaccess tweak for 9A: Force HTTPS

[BernhardBaumrock]

Short description of the enhancement

Please add a line to check for proxied https to the htaccess file to make it work with DDEV.

Current vs. suggested behavior

Currently when using a setup like DDEV that works with different docker containers if you use directive 9A it will cause an infinite loop of redirects which makes the site unusable. My colleague @christophengelmayer came up with the following solution:

  # 9A. To redirect HTTP requests to HTTPS, uncomment the lines below (also see note above):
  # -----------------------------------------------------------------------------------------------
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This makes the HTTPS redirect work both on the local DDEV setup as well as on the live server (that has no proxy).

Why would the enhancement be useful to users?

DDEV seems to get more popular in the community, so it would be nice to have this additional line in 9A. Directive 9B does not work in a DDEV (or other docker-based) setup!

As the additional check should IMHO not cause any problems in regular setups, I think it would a nice improvement. But both me and my colleagues are no apache experts, so double checking would be good :)

[jmartsch]

I am also no expert in Apache, but the provided fix works for me. Also it should not interfer with normal setups because "HTTP:X-Forwarded-Proto" is only a de-facto standard header for identifying the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto).

[ryancramerdesign]

@BernhardBaumrock @jmartsch I think that's okay for a local dev environment but the problem with this solution on a live server (that's not going through a proxy/load-balancer) is that the X-FORWARDED-PROTO header can be spoofed, so it's a type of user input, enabling someone to bypass the rule set.