Add a check for X-FORWARDED-PROTO Headers in addition to checking {HTTPS} in .htaccess [#1288834]

When working behind a load balancer that is handling the https encryption and then making non-ssl calls to Apache, checking for {HTTPS} isn't sufficient. Even when setting an environment HTTPS variable to get php recognizing the request as HTTPS, it is still not going to be available in .htaccess. (However you could check for {ENV:HTTPS} )

Looking around, it looks like there is a standard header that CAN be set (but is not always configured) by the load balancer when it makes the proxy request, X-FORWARDED-PROTO. I think it would make sense to add that check to the default .htaccess rules for boost.

# Custom: Test for X-Forwarded-Proto in request headers from a load balancer.
RewriteCond %{HTTP:X-Forwarded-Proto} https

Comments

Comment #1

mgifford

he/him

English

CreditAttribution: mgifford commented 13 March 2015 at 15:25

Issue summary:	View changes
Related issues:		+#313145: Support X-Forwarded-* HTTP headers alternates

Comment #2

mgifford

he/him

English

CreditAttribution: mgifford commented 13 March 2015 at 15:25

Adding Core link & also this blog:

http://www.metaltoad.com/blog/running-drupal-secure-pages-behind-proxy

Add a check for X-FORWARDED-PROTO Headers in addition to checking {HTTPS} in .htaccess

Comments

Comment #1

Comment #2

Related issues

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community