Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP https check with flexible ssl (cloudflare), how to do?

Background: Website (example.com), dns setup through cloudflare pro plan, this offers "flexible ssl" (read here), which means that ssl only exists between client and cloudflare and not between cloudflare and server, thus not needing dedicated ip and not needing special setups on the server. The server is setup to not use ssl (just a generic website), however cloudflare's flexible ssl is is taking care of the ssl aspect.

Language: PHP (codeignighter, but that doesnt really matter)

Goal: when browsing to domain "exmple.com/" or "http:// exmple.com/", to generate a variable "http:// example.com", and when browsing to "https:// example.com/*" to generate a variable "https:// example.com".

What should work (but doesnt):

$root = '';
if( isset($_SERVER['HTTPS'] )  && $_SERVER['HTTPS'] != 'off' )
{
    //it doesnt reach here...
    $root .= 'https://';
}
else
{
    $root .= 'http://';
}
$root  .= "".$_SERVER['HTTP_HOST'];
$root .= str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']);

I can always make it do: "//example.com", but that doesnt really solve the problem for me. Thoughts? Should i be doing some string comparison to determine the https-ness?

Im sure the reason for this is when a request reaches the server (https or http), it comes through port 80 and it doesnt get recognized as ssl, so $_SERVER['HTTPS'] is not defined. I could setup a custom ssl between the server and cloudflare, but would be nicer (less effort) if i could just use some regexp and compare the url somehow.

I would also like to know possible issues and vulnerabilities.

Thanks :)

like image 754
decay Avatar asked May 08 '14 04:05

decay


People also ask

How do I enable HTTPS with Cloudflare?

To enable Always Use HTTPS in the dashboard: Log in to your Cloudflare account Open external link and go to a specific domain. Navigate to SSL/TLS > Edge Certificates. For Always Use HTTPS, switch the toggle to On.

Is Cloudflare flexible SSL secure?

Full SSL — (only for self-signed certificates)The connection between the user and Cloudflare is secure. The connection between Cloudflare and DreamHost is secure, but not authenticated. Your visitors will see HTTPS and a secure padlock in their browser.


1 Answers

Ok, i will answer my own question for future people who has the same issue:

if(!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])){
    $root .= $_SERVER['HTTP_X_FORWARDED_PROTO'].'://';
}
else{
    $root .= !empty($_SERVER['HTTPS']) ? "https://" : "http://";
}

Came accross it when i was looking closely at $_SERVER, and googling around for HTTP_X_FORWARDED_PROTO and got me to few pages that confirmed this.

like image 126
decay Avatar answered Oct 03 '22 23:10

decay