From 665dbc2690ebeb5392d38f1fece0a654225a0b38 Mon Sep 17 00:00:00 2001
From: Patrick Baus <patrick.baus@physik.tu-darmstadt.de>
Date: Thu, 11 Aug 2016 01:32:41 +0200
Subject: [PATCH] Fixed detection of SSL encryption, when a reverse proxy is
 used, that does the encryption. If the server sets the HTTP_X_FORWARDED_PROTO
 header to 'https' or the HTTP_X_FORWARDED_SSL header to 'on' SSL encryption
 is assumed

---
 htdocs/login_form.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/htdocs/login_form.php b/htdocs/login_form.php
index f16bdbf..37f0e38 100644
--- a/htdocs/login_form.php
+++ b/htdocs/login_form.php
@@ -16,7 +16,19 @@ printf('<h3 class="title">%s %s</h3>',_('Authenticate to server'),$app['server']
 echo '<br />';
 
 # Check for a secure connection
-if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
+$isHTTPS = false;
+
+# Check if the current connection is encrypted
+if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
+        $isHTTPS = true;
+}
+# Check if a proxy server downstream does encryption for us
+elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && strtolower($_SERVER['HTTP_X_FORWARDED_SSL'])
+== 'on') {
+        $isHTTPS = false;
+}
+
+if (!$isHTTPS) {
 	echo '<div style="text-align: center; color:red">';
 	printf('<acronym title="%s"><b>%s: %s.</b></acronym>',
 		_('You are not using \'https\'. Web browser will transmit login information in clear text.'),
@@ -25,6 +37,7 @@ if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
 
 	echo '<br />';
 }
+unset($isSecure);
 
 # HTTP Basic Auth Form.
 if ($app['server']->getAuthType() == 'http') {