Background: Website (example.com), dns setup through cloudflare pro plan, this offers "flexible ssl" (read here), which means that ssl only exists between client and cloudflare and not between cloudflare and server, thus not needing dedicated ip and not needing special setups on the server. The server is setup to not use ssl (just a generic website), however cloudflare's flexible ssl is is taking care of the ssl aspect.
Language: PHP (codeignighter, but that doesnt really matter)
Goal: when browsing to domain "exmple.com/" or "http:// exmple.com/", to generate a variable "http:// example.com", and when browsing to "https:// example.com/*" to generate a variable "https:// example.com".
What should work (but doesnt):
$root = '';
if( isset($_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] != 'off' )
{
//it doesnt reach here...
$root .= 'https://';
}
else
{
$root .= 'http://';
}
$root .= "".$_SERVER['HTTP_HOST'];
$root .= str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']);
I can always make it do: "//example.com", but that doesnt really solve the problem for me. Thoughts? Should i be doing some string comparison to determine the https-ness?
Im sure the reason for this is when a request reaches the server (https or http), it comes through port 80 and it doesnt get recognized as ssl, so $_SERVER['HTTPS'] is not defined. I could setup a custom ssl between the server and cloudflare, but would be nicer (less effort) if i could just use some regexp and compare the url somehow.
I would also like to know possible issues and vulnerabilities.
Thanks :)
To enable Always Use HTTPS in the dashboard: Log in to your Cloudflare account Open external link and go to a specific domain. Navigate to SSL/TLS > Edge Certificates. For Always Use HTTPS, switch the toggle to On.
Full SSL — (only for self-signed certificates)The connection between the user and Cloudflare is secure. The connection between Cloudflare and DreamHost is secure, but not authenticated. Your visitors will see HTTPS and a secure padlock in their browser.
Ok, i will answer my own question for future people who has the same issue:
if(!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])){
$root .= $_SERVER['HTTP_X_FORWARDED_PROTO'].'://';
}
else{
$root .= !empty($_SERVER['HTTPS']) ? "https://" : "http://";
}
Came accross it when i was looking closely at $_SERVER
, and googling around for HTTP_X_FORWARDED_PROTO
and got me to few pages that confirmed this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With