is_https() fixed for load balancers / reverse proxies;

typo fixed in changelog
flatpressblog · Apr 27, 2024 · 16298a3 · 16298a3 · Fraenkiman · Apr 27, 2024
1 parent 3659e5e
commit 16298a3
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,4 @@
-# Under delevopment: [FlatPress 1.3.1](https://github.com/flatpressblog/flatpress/releases/tag/1.3.1)
+# Under development: [FlatPress 1.3.1](https://github.com/flatpressblog/flatpress/releases/tag/1.3.1)
 ## Bugfixes
 - HTTP-only Login wasn't possible under some circumstances ([#371](https://github.com/flatpressblog/flatpress/issues/371), [#378](https://github.com/flatpressblog/flatpress/issues/378))
 

diff --git a/defaults.php b/defaults.php
@@ -130,6 +130,7 @@
 
 // supports Apache and IIS
 $serverport = '';
+var_dump(is_https());
 if (is_https()) {
 	// HTTPS enabled
 	$serverport = "https://";
@@ -171,21 +172,25 @@
 header('X-Frame-Options: SAMEORIGIN');
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');
-  //
-  // End of send header
-  // 
-
-#function _dummy() {}
-#set_error_handler('_dummy');
-
-
 
+//
+// End of send header
+//
 
 /**
  * Checks if FlatPress is called via HTTPS.
  *
  * @return boolean <code>true</code> when FlatPress is called via HTTPS; <code>false</code> otherwise.
  */
 function is_https() {
-	return (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on'));
+	// HTTPS called web server
+	if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS'])) {
+		return true;
+	}
+	// HTTPS called reverse proxy / load balancer 
+	if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
+		$isSecure = true;
+	}
+	// none of the above: must be HTTP
+	return false;
 }