Merge pull request #40 from PatrickBaus/master

Fixed detection of SSL encryption behind proxy server
2016-10-30 16:53:36 +08:00 · 2016-10-30 16:53:36 +08:00 · 733a10a1c5
parent 708bc5ed83 61af45e872
commit 733a10a1c5
2 changed files with 14 additions and 3 deletions
--- a/htdocs/js/ajax_functions.js
+++ b/htdocs/js/ajax_functions.js
@ -202,8 +202,6 @@ function makeHttpRequest(url,parameters,meth,successCallbackFunctionName,errorCa
 	http_request.open(meth,url,true);

 	http_request.setRequestHeader('Content-type','application/x-www-form-urlencoded');
-	http_request.setRequestHeader('Content-length',parameters.length);
-	http_request.setRequestHeader('Connection','close');

 	if (meth == 'GET') parameters = null;
 	http_request.send(parameters);
--- a/htdocs/login_form.php
+++ b/htdocs/login_form.php
@ -16,7 +16,19 @@ printf('<h3 class="title">%s %s</h3>',_('Authenticate to server'),$app['server']
 echo '<br />';

 # Check for a secure connection
-if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
+$isHTTPS = false;
+
+# Check if the current connection is encrypted
+if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
+        $isHTTPS = true;
+}
+# Check if a proxy server downstream does encryption for us
+elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && strtolower($_SERVER['HTTP_X_FORWARDED_SSL'])
+== 'on') {
+        $isHTTPS = true;
+}
+
+if (!$isHTTPS) {
 	echo '<div style="text-align: center; color:red">';
 	printf('<acronym title="%s"><b>%s: %s.</b></acronym>',
 		_('You are not using \'https\'. Web browser will transmit login information in clear text.'),
@ -25,6 +37,7 @@ if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {

 	echo '<br />';
 }
+unset($isSecure);

 # HTTP Basic Auth Form.
 if ($app['server']->getAuthType() == 'http') {