deon/phpldapadmin
1
0
Fork 0
Code Issues 36 Pull Requests Packages Projects Releases Wiki Activity

Fixed detection of SSL encryption, when a reverse proxy is used, that does the encryption.

Browse Source 
If the server sets the HTTP_X_FORWARDED_PROTO header to 'https' or the
HTTP_X_FORWARDED_SSL header to 'on' SSL encryption is assumed
This commit is contained in:
Patrick Baus 2016-08-11 01:32:41 +02:00
parent fa88250f0e
commit 665dbc2690
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/login_form.php
View File

@ -16,7 +16,19 @@ printf('<h3 class="title">%s %s</h3>',_('Authenticate to server'),$app['server']
echo '<br />'; echo '<br />';
# Check for a secure connection # Check for a secure connection
if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') { $isHTTPS = false;
# Check if the current connection is encrypted
if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
$isHTTPS = true;
}
# Check if a proxy server downstream does encryption for us
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && strtolower($_SERVER['HTTP_X_FORWARDED_SSL'])
== 'on') {
$isHTTPS = false;
}
if (!$isHTTPS) {
echo '<div style="text-align: center; color:red">'; echo '<div style="text-align: center; color:red">';
printf('<acronym title="%s"><b>%s: %s.</b></acronym>', printf('<acronym title="%s"><b>%s: %s.</b></acronym>',
_('You are not using \'https\'. Web browser will transmit login information in clear text.'), _('You are not using \'https\'. Web browser will transmit login information in clear text.'),
@ -25,6 +37,7 @@ if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
echo '<br />'; echo '<br />';
} }
unset($isSecure);
# HTTP Basic Auth Form. # HTTP Basic Auth Form.
if ($app['server']->getAuthType() == 'http') { if ($app['server']->getAuthType() == 'http') {