Project

General

Profile

Feature #6108

Make root_web optional and check HTTP-X-Forwarded-Proto

Added by Yannick Warnier over 6 years ago. Updated over 2 years ago.

Status:
Assigned
Priority:
High
Category:
System
Target version:
Start date:
20/04/2013
Due date:
% Done:

0%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

$_configuration['root_web'] can be made optional in configuration.php with the following code:

$_configuration['root_web']       = 'http://my.chamilo19.net/';
if (!empty($_SERVER['HTTP_HOST'])) {
  $_configuration['root_web'] = 'http://'.$_SERVER['HTTP_HOST'].'/';
}

This "switch" should not be located in configuration.php, but rather in global.inc.php, just after reading configuration.php and before "$GLOBALS['_configuration'] = $_configuration;", so it should look like this:


// Use the current host and fallback to configuration['root_web'] if not defined.
if (!empty($_SERVER['HTTP_HOST'])) {
    $protocol = 'http://';
    if (!empty($_SERVER['HTTPS'])) {
        $protocol = 'https://';
    }
    $_configuration['root_web'] = $protocol.$_SERVER['HTTP_HOST'].'/';
}

// Ensure that _configuration is in the global scope before loading
// main_api.lib.php. This is particularly helpful for unit tests
if (!isset($GLOBALS['_configuration'])) {
    $GLOBALS['_configuration'] = $_configuration;
}

This, however, might be a problem for reverse proxies taking over the HTTPS handshake and exchange (because the reverse proxy receives the $_SERVER['HTTPS'] as true, but passes it to the web server backend as false.
In this case, Chamilo would return links (inside the HTML) saying "http://my.chamilo.org" when the links should say "https://my.chamilo.org". In this case, Chamilo should support the HTTP_X_FORWARDED_PROTO (non-standard but widely accepted) header.

A more appropriate version would be:


// Use the current host and fallback to configuration['root_web'] if not defined.
// If X-Forwarded-Proto is defined, make sure we use it.
if (empty($_configuration['root_web']) && !empty($_SERVER['HTTP_HOST'])) {
    $protocol = 'http';
    if (!empty($_SERVER['HTTPS']) or (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {
        $protocol = 'https';
    }
    $_configuration['root_web'] = $protocol.'://'.$_SERVER['HTTP_HOST'].'/';
}

// Ensure that _configuration is in the global scope before loading
// main_api.lib.php. This is particularly helpful for unit tests
if (!isset($GLOBALS['_configuration'])) {
    $GLOBALS['_configuration'] = $_configuration;
}

This would require updating the optimization documentation.
This would also require to update the installation process to make sure HTTP_HOST is defined, but I think that's already how we fill the root_web in the first place.
In this case, if $_SERVER['HTTP_HOST'] is defined, we could just leave $_configuration['root_web'] empty in configuration.php, and if the user adds his own web path, then set the value to that.

History

#1

Updated by Yannick Warnier over 6 years ago

  • Description updated (diff)
#2

Updated by Yannick Warnier over 2 years ago

  • Priority changed from Normal to High

Also available in: Atom PDF