search

ratsume / lightopenid

Automatically exported from code.google.com/p/lightopenid
0 stars 0 forks source link

Support https behind reverse proxies (HTTP_X_FORWARDED_PROTO) #37

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Suppose you use a reverse proxy to dispatch requests to different servers and 
suppose that your site uses https. Then the dispatcher needs to forward the 
request and the information about the protocol gets lost. On the server behind 
the dispatcher $_SERVER['HTTPS'] is empty.

To solve this issue it looks like an established convention that site 
adminstrators that need reverse proxies and https in their server setup 
introduce the server variable HTTP_X_FORWARDED_PROTO to make the 'real' 
protocol of the client visible to the servers behind the proxy. If you would 
substitute line 73

$this->trustRoot = ((empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') ? 
'http' : 'https') . '://' . $_SERVER['HTTP_HOST'];

with the following code:

        if(!empty($_SERVER['HTTPS']) || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {
            $this->trustRoot = 'https://'.$_SERVER['HTTP_HOST'];
        } else {
            $this->trustRoot = 'http://'.$_SERVER['HTTP_HOST'];
        }

then lightopenid can be used behind reverse proxies and with https.
Just setting the realm/trustRoot manually using the api did not work for me as 
then the validate method failed. If there is a better way to go, please tell me.

Best regards and thanks for providing this library
Silvan

Original issue reported on code.google.com by silvango...@gmail.com on 20 Apr 2011 at 9:44

GoogleCodeExporter commented 8 years ago 
I will make the change so that it'll be done automatically.

However, I wonder why setting the realm didn't work. Did you also set it before 
calling validate()?

Original comment by mewp...@gmail.com on 20 Apr 2011 at 10:03

GoogleCodeExporter commented 8 years ago 
Thanks for your amazingly fast support!
Yes, when testing I set the realm both before the redirect and before validate. 
Not sure why it didn't work, but it's possible that it should have worked and I 
did some error/typo/whatever.

Original comment by silvango...@gmail.com on 20 Apr 2011 at 10:17

GoogleCodeExporter commented 8 years ago 
See the latest commit.

Original comment by mewp...@gmail.com on 21 Apr 2011 at 7:19