Currently, drupal_settings_initialize() does an important detection to try and determine whether the current request is https or not:

$is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';

Among other things, this check prevents Drupal from serving up "mixed content" pages where http resources are served with a https page.

If your web server communicates with PHP over http even when the end user is hitting the server with a https request then Drupal doesn't "see" that it is supposed to provide a https page for the end user.

Generally, when a server is configured like this it "forwards" the protocol the end user needs to PHP with $_SERVER['HTTP_X_FORWARDED_PROTO'] so Drupal should check to see if that exists before assuming the page is http.

An example of this situation is https sites on Acquia cloud, their docs at https://docs.acquia.com/cloud/configure/https say to do this as a workaround:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && 
    $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' &&
    isset($_SERVER['REMOTE_ADDR']) &&
    strpos($_SERVER['REMOTE_ADDR'], '10.') === 0) {
  $_SERVER['HTTPS'] = 'on';
}

Which is a hack to provide the logic that Drupal core could be using anyway.

But another example would be if you were using nginx with PHP as a backend, this is definitely not just an "Acquia thing".

Review Bonus:

https://drupal.org/comment/8434783#comment-8434783 +2
Total: 2

CommentFileSizeAuthor
#3 2181941-3.patch953 bytesthedavidmeister
#1 2181941-1.patch658 bytesthedavidmeister
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

thedavidmeister’s picture

Status: Active » Needs review
FileSize
658 bytes

Patch.

thedavidmeister’s picture

thedavidmeister’s picture

Title: drupal_settings_initialize() should check $_SERVER['HTTP_X_FORWARDED_PROTO'] as well as $_SERVER['HTTPS'] » Drupal should recognise $_SERVER['HTTP_X_FORWARDED_PROTO'] when attempting to detect a https request
Category: Feature request » Bug report
FileSize
953 bytes

This patch might be a better approach as it would be compatible with any code anywhere checking $_SERVER['https'] (it simply sets $_SERVER['https'] to 'on' if appropriate after checking HTTP_X_FORWARDED_PROTO).

/core/vendor/zendframework/zend-feed/Zend/Feed/PubSubHubbub/AbstractCallback.php does this in _getHttpHost()

thedavidmeister’s picture

Issue summary: View changes
Damien Tournoud’s picture

Status: Needs review » Closed (duplicate)
thedavidmeister’s picture

ok, i'll take further discussion there. Thanks.