From 5b27017b6e03fc999d50043f2057154a16e39cda Mon Sep 17 00:00:00 2001
From: Christopher Gervais <chris@ergonlogic.com>
Date: Thu, 21 Mar 2019 18:51:06 +0000
Subject: [PATCH] Issue #3040646: Detect proxied HTTPS requests.

---
 http/Provision/Config/Nginx/server.tpl.php | 10 ++++++++++
 http/Provision/Config/Nginx/subdir.tpl.php | 15 +++++++++++++++
 http/Provision/Config/Nginx/vhost.tpl.php  |  3 +++
 3 files changed, 28 insertions(+)

diff --git a/http/Provision/Config/Nginx/server.tpl.php b/http/Provision/Config/Nginx/server.tpl.php
index 781d84c..c7a5a53 100644
--- a/http/Provision/Config/Nginx/server.tpl.php
+++ b/http/Provision/Config/Nginx/server.tpl.php
@@ -99,6 +99,8 @@ if ($nginx_has_upload_progress) {
   fastcgi_index  index.php;
   # Block https://httpoxy.org/ attacks.
   fastcgi_param  HTTP_PROXY          "";
+  # Set whether the original request was using HTTPS.
+  fastcgi_param  HTTPS               $forwarded_protocol if_not_empty;
 <?php endif; ?>
 
  ## Size Limits
@@ -222,6 +224,14 @@ if ($nginx_has_upload_progress) {
 #######################################################
 
 ###
+### Detect whether the original request was using HTTPS.
+###
+map $http_x_forwarded_proto $forwarded_protocol {
+  default "off";
+  https "on";
+}
+
+###
 ### Support separate Speed Booster caches for various mobile devices.
 ###
 map $http_user_agent $device {
diff --git a/http/Provision/Config/Nginx/subdir.tpl.php b/http/Provision/Config/Nginx/subdir.tpl.php
index 0873588..cbf3015 100644
--- a/http/Provision/Config/Nginx/subdir.tpl.php
+++ b/http/Provision/Config/Nginx/subdir.tpl.php
@@ -318,6 +318,9 @@ location ^~ /<?php print $subdir; ?> {
 
     include       fastcgi_params;
 
+    # Set whether the original request was using HTTPS.
+    fastcgi_param HTTPS $forwarded_protocol if_not_empty;
+
     # Block https://httpoxy.org/ attacks.
     fastcgi_param HTTP_PROXY "";
 
@@ -812,6 +815,9 @@ location ^~ /<?php print $subdir; ?> {
 
     include       fastcgi_params;
 
+    # Set whether the original request was using HTTPS.
+    fastcgi_param HTTPS $forwarded_protocol if_not_empty;
+
     # Block https://httpoxy.org/ attacks.
     fastcgi_param HTTP_PROXY "";
 
@@ -1018,6 +1024,9 @@ location ^~ /<?php print $subdir; ?> {
 
     include       fastcgi_params;
 
+    # Set whether the original request was using HTTPS.
+    fastcgi_param HTTPS $forwarded_protocol if_not_empty;
+
     # Block https://httpoxy.org/ attacks.
     fastcgi_param HTTP_PROXY "";
 
@@ -1099,6 +1108,9 @@ location ^~ /<?php print $subdir; ?> {
 
     include       fastcgi_params;
 
+    # Set whether the original request was using HTTPS.
+    fastcgi_param HTTPS $forwarded_protocol if_not_empty;
+
     # Block https://httpoxy.org/ attacks.
     fastcgi_param HTTP_PROXY "";
 
@@ -1255,6 +1267,9 @@ location @allowupdate_<?php print $subdir_loc; ?> {
 <?php endif; ?>
   include       fastcgi_params;
 
+  # Set whether the original request was using HTTPS.
+  fastcgi_param HTTPS $forwarded_protocol if_not_empty;
+
   # Block https://httpoxy.org/ attacks.
   fastcgi_param HTTP_PROXY "";
 
diff --git a/http/Provision/Config/Nginx/vhost.tpl.php b/http/Provision/Config/Nginx/vhost.tpl.php
index 955288e..b3566ac 100644
--- a/http/Provision/Config/Nginx/vhost.tpl.php
+++ b/http/Provision/Config/Nginx/vhost.tpl.php
@@ -41,6 +41,9 @@ server {
   # Block https://httpoxy.org/ attacks.
   fastcgi_param HTTP_PROXY "";
 
+  # Set whether the original request was using HTTPS.
+  fastcgi_param HTTPS "$forwarded_protocol" if_not_empty;
+
   fastcgi_param MAIN_SITE_NAME <?php print $this->uri; ?>;
   set $main_site_name "<?php print $this->uri; ?>";
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-- 
2.7.4