Search code examples
phpcodeignitersslhttpsoffloading

Not getting https = on in $_SERVER PHP ,Codigniter, Server behind Load Balancer

I hit the domain by : https://domainname.com, here is the $_SERVER response for it 

Array
(
    [UNIQUE_ID] => VcmHo6LRO1IAAB-fDU0AAAAK
    [SCRIPT_URL] => /
    [SCRIPT_URI] => http://DOMAIN/
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
    [HTTP_X_FORWARDED_FOR] => 27.106.8.158
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    [HTTP_SSLCLIENTCERTSTATUS] => NoClientCert
    [HTTP_X_FORWARDED_PROTO] => https
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8
    [HTTP_SSLCLIENTCIPHER] => SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, version=TLSv1.2, bits=256
    [HTTP_HOST] => DOMAIN NAME
    [HTTP_SSLSESSIONID] => 93C33C49696542DC405250B49D36C222CBC06F747494EB56BB5C756A59DF8419
    [HTTP_X_CLUSTER_CLIENT_IP] => 27.106.8.158
    [HTTP_COOKIE] => fbm_153033148171841=base_domain=.DOMAIN; PHPSESSID=6gpp73p5k5ce4lg5lqut4ql3i5; PHPSESSID=v0vr962t7vtdtggo5tush5ndc1; X-Mapping-fjhppofk=843133EAD64CFF0FA30A00FC3D699430; fbsr_153033148171841=2MX-iaC6soGRrwIGXsPmsjGTdvLJ9UymLxPJS91gGyQ.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUUNPenN5blVpbVZURVlBTHBiVERIaDl5REMtVC1sSEVCMUJLTWFxUno5bk0tT2M4eTFla256RktNYXdNSWZuWVExUWV1c09XUDNwU0M3dDJxZEdKWnhSZE9pLTRLRVdadTVkdW9OaVRiX2xEWmZ4Y0VuSHJBeFppOTVzbFhOQjlyajJUTWNTREdrNWhNX0VMUzBiXzJxbWtZSTNVX0lWVlllMjlTczh6LTA5azNPWFJVcko2elZOYkk2cGlLTk9nSGswcTVFd3BfVzlpcGJhYVJFd2dZVHo5U0pkSE9hTWFhSjJQY3dqV09SdWFHUVM1bXBDdFRDaDV2eVRXUTd6NEdDSlJFMHNQYXFOQmhSamhCbkNUdGFlMTJOVWIxR0ItcExhUWFZUzg1bW00VDlaMkFQX292Q1Q5QzlBMVVabWFDR3Frcm1YWWh5WE9kQ1lNYndINVB3MiIsImlzc3VlZF9hdCI6MTQzOTI2OTU5NywidXNlcl9pZCI6IjczMDA3MjI1NCJ9; _gat=1; _ga=GA1.2.1057126601.1438592752
    [HTTP_CONNECTION] => keep-alive
    [HTTP_X_FORWARDED_PORT] => 443
    [HTTP_UPGRADE_INSECURE_REQUESTS] => 1
    [HTTP_ACCEPT_ENCODING] => gzip, deflate, sdch
    [PATH] => /sbin:/usr/sbin:/bin:/usr/bin
    [SERVER_SIGNATURE] => <address>Apache Server at eventseeker.com Port 80</address>

    [SERVER_SOFTWARE] => Apache
    [SERVER_NAME] => Domain Name
    [SERVER_ADDR] => Load balanacer IP
    [SERVER_PORT] => 80
    [REMOTE_ADDR] => Server IP
    [DOCUMENT_ROOT] => /var/www/html/foldername/
    [SERVER_ADMIN] => [email protected]
    [SCRIPT_FILENAME] => /var/www/html/foldername/index.php
    [REMOTE_PORT] => 10052
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /
    [SCRIPT_NAME] => /index.php
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1439270819.984
    [REQUEST_TIME] => 1439270819
)

THE array doesn't have $_SERVER['https'] = on , Thus for me it is difficult to identify valid HTTPS hit on domain.

It seems that the server gets a https hit and than it redirects it to http as we have [HTTP_X_FORWARDED_PROTO] => https , [HTTP_X_FORWARDED_PORT] => 443 and [SERVER_PORT] => 80

The domain is behind Load Balancer and it uses SSL offloading. What can be the problem ?

I have a requirement for my site to work on http if the user is not logged in , and as the user logs in the site should move behind https and till the user logs out it the user will only browse site in https.

Can anyone help . Thank You.

Solution

  • In your setup, SSL is terminated on the load balancer. It forwards all connections to your site via plain HTTP, there is no encryption. However it adds headers such as HTTP_X_FORWARDED_PROTO = https, which tells you the protocol used by user to the load balancer.

    If you want to check HTTPS in an agnostic way so your application don't need to know if it is behind a load balancer or not, try checking both HTTPS || HTTP_X_FORWARDED_PROTO fields.