Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP https check with flexible ssl (cloudflare), how to do?

Tags:

php

https

ssl

cloudflare

Background: Website (example.com), dns setup through cloudflare pro plan, this offers "flexible ssl" (read here), which means that ssl only exists between client and cloudflare and not between cloudflare and server, thus not needing dedicated ip and not needing special setups on the server. The server is setup to not use ssl (just a generic website), however cloudflare's flexible ssl is is taking care of the ssl aspect.

Language: PHP (codeignighter, but that doesnt really matter)

Goal: when browsing to domain "exmple.com/" or "http:// exmple.com/", to generate a variable "http:// example.com", and when browsing to "https:// example.com/*" to generate a variable "https:// example.com".

What should work (but doesnt):

$root = '';
if( isset($_SERVER['HTTPS'] )  && $_SERVER['HTTPS'] != 'off' )
{
    //it doesnt reach here...
    $root .= 'https://';
}
else
{
    $root .= 'http://';
}
$root  .= "".$_SERVER['HTTP_HOST'];
$root .= str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']);

I can always make it do: "//example.com", but that doesnt really solve the problem for me. Thoughts? Should i be doing some string comparison to determine the https-ness?

Im sure the reason for this is when a request reaches the server (https or http), it comes through port 80 and it doesnt get recognized as ssl, so $_SERVER['HTTPS'] is not defined. I could setup a custom ssl between the server and cloudflare, but would be nicer (less effort) if i could just use some regexp and compare the url somehow.

I would also like to know possible issues and vulnerabilities.

Thanks :)

like image 754
decay Avatar asked May 08 '14 04:05

decay

People also ask

How do I enable HTTPS with Cloudflare?

To enable Always Use HTTPS in the dashboard: Log in to your Cloudflare account Open external link and go to a specific domain. Navigate to SSL/TLS > Edge Certificates. For Always Use HTTPS, switch the toggle to On.

Is Cloudflare flexible SSL secure?

Full SSL — (only for self-signed certificates)The connection between the user and Cloudflare is secure. The connection between Cloudflare and DreamHost is secure, but not authenticated. Your visitors will see HTTPS and a secure padlock in their browser.

1 Answers

Ok, i will answer my own question for future people who has the same issue:

if(!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])){
    $root .= $_SERVER['HTTP_X_FORWARDED_PROTO'].'://';
}
else{
    $root .= !empty($_SERVER['HTTPS']) ? "https://" : "http://";
}

Came accross it when i was looking closely at $_SERVER, and googling around for HTTP_X_FORWARDED_PROTO and got me to few pages that confirmed this.

like image 126
decay Avatar answered Oct 03 '22 23:10

decay
Sign in to Comment

Related questions

php How do I start an external program running - Having trouble with system and exec
cleaning $_POST variables [duplicate]
How to process a form with CodeIgniter
Using SQlite3 in PHP how to count the number of rows in a result set?
How to get Custom Options Programmatically in Magento
Extract filename with extension from filepath string
Listing all images in a directory using PHP
Should I use @ in my PHP code?
Get MySQL database output via PHP to XML
Hide Referrer on click
php - Sort array with date as key
Updating a Multidimensional Array in PHP
Store objects in sessions Symfony 2
PHP write objects inline
What is the time format used in facebook created date?
PDO associative arrays - return associative
Changing Log Levels in Laravel 4
php json_encode not working on arrays partially
Laravel hasMany relation count number of likes and comments on post
Get the price of an item on Steam Community Market with PHP and Regex

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!