Re: [PHP] Detecting HTTPS connections under Apache
On Fri, 27 May 2011, Curtis Maurand wrote: $_SERVER['HTTPS'] I don't see this at all. I'm definitely connecting securely. Here are the status lines from Lynx when surfing to https://MintFM.net/phpinfo.php: 1. Looking up mintfm.net 2. Making HTTPS connection to mintfm.net 3. Verified connection to mintfm.net (cert=mintfm.net) 4. Certificate issued by: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 5. Secure 128-bit TLS1.0 (DHE_RSA_AES_128_CBC_SHA1) HTTP connection 6. Sending HTTP request. 7. HTTP request sent; waiting for response. 8. HTTP/1.1 200 OK 9. Data transfer complete So it's definitely secure, but I'm not seeing anything in $_SERVER that says so. So I'm wondering if Apache is not exporting something properly. Geoff. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Detecting HTTPS connections under Apache
LOL :)
Just saw phpinfo() and you are right, it shows port 80 even if it's httpS :0
But the problem is, that $_SERVER['SERVER_PORT'] is apache variable and not
php, meaning that apache is telling PHP that it works on port 80.
Even if you use .htaccess and variable %{SERVER_PORT} it will not work (or
will?) :(
I personally would solve this by two virtualhost setting in apache. Then one
line in virtaulhost:
*php_flag [variable_name] [value]*
could help me if it's secure or not...
Can you try that?
But I agree with @Richard, you have few issues with LAMP configuration
Regards
On Sat, May 28, 2011 at 19:52, Geoff Shang ge...@quitelikely.com wrote:
On Fri, 27 May 2011, Curtis Maurand wrote:
$_SERVER['HTTPS']
I don't see this at all.
I'm definitely connecting securely. Here are the status lines from Lynx
when surfing to https://MintFM.net/phpinfo.php:
1. Looking up mintfm.net
2. Making HTTPS connection to mintfm.net
3. Verified connection to mintfm.net (cert=mintfm.net)
4. Certificate issued by: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
5. Secure 128-bit TLS1.0 (DHE_RSA_AES_128_CBC_SHA1) HTTP connection
6. Sending HTTP request.
7. HTTP request sent; waiting for response.
8. HTTP/1.1 200 OK
9. Data transfer complete
So it's definitely secure, but I'm not seeing anything in $_SERVER that
says so. So I'm wondering if Apache is not exporting something properly.
Geoff.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Detecting HTTPS connections under Apache
On Thu, 26 May 2011, ad...@buskirkgraphics.com wrote: So when you echo $_SERVER['SERVER_PORT']; You get port 80 even if the url currently is https://www.yoursite.com ? Yes. If this is the case good luck. Because you have serious issues. OK. This on its own is not particularly helpful. Surely I can't be the only person in the universe who has experienced this. I'm running a minimally-altered stock Debian Apache and PHP setup. Geoff. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Detecting HTTPS connections under Apache
$_SERVER['HTTPS']
?php
if($_SERVER['HTTPS']){
echo 'you are secured';
}else{
echo 'you are not secured';
}
?
--Curtis
On 5/26/2011 3:37 PM, Geoff Shang wrote:
Hi,
Apologies if this is covered somewhere but I've searched fairly
extensively and not found anything.
I'm working on an application which has a function for redirecting to
a given URL. This is generally used for redirecting after a form has
been submitted.
Right now it sends an HTTP URL in the redirection, which means it
can't work under a secure connection.
I'd like to be able to use it over HTTPS but don't want to force
people to do this. So ideally I'd like to be able to detect the
protocol in use and send the appropriate protocol in the Location header.
The problem is that, at least on the system I'm working on, I can't
see any way of detecting the protocol. _SERVER[SERVER_SIGNATURE]
and _SERVER[SERVER_ADDR] both give the port as 80, even if I specify
port 443 in the URL. I've seen references to _SERVER[HTTPS] or
something similar but it's not in the output I get from either
print_r ($_SERVER) or phpinfo ().
I'm running PHP Version 5.3.3-7+squeeze1 on Apache/2.2.16 (Debian).
The machine is an x86-64 VPS running Debian Squeeze.
I have full access to the VPS, so if something needs tweeking in
Apache (or anything else) then I can do this.
Thanks in advance,
Geoff.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Detecting HTTPS connections under Apache
The %{HTTPS} variable is not an Apache core variable. A more-portable
solution is to check %{SERVER_PORT} for port 80 or port 443 -- or for not
port 80 or not port 443.
Also, you're requiring an *exact* match on not /user or not /admin,
meaning that directory and file paths below these directories will not be
matched -- They will always be redirected by the second rule.
In addition, the URL-path in the Request_URI variable always starts with a
slash, and a RewriteCond should not be used to test the URL-path unless the
RewriteRule cannot be used to do this.
Finally, since the rules are already scoped to http and https by their
locations within the vHost containers, checking %{HTTPS} or %{SERVER_PORT}
is probably not even necessary.
Most likely, correcting the second problem will fix your code, and the other
inefficiencies can be removed as well:
VirtualHost *:80
RewriteRule ^/((user|admin)(/.*)?)$ https://example.com/$1 [R=301,L]
/VirtualHost
VirtualHost _default_:443
RewriteCond $1 !^(user|admin)(/.*)?$
RewriteRule ^/(.*)$ http://example.com/$1 [R=301,L]
/VirtualHost
[added] Alternative format for second rule -- I'm not sure, but it might be
faster:
VirtualHost _default_:443
RewriteRule !^/(user|admin)(/.*)?$ http://example.com%{REQUEST_URI}
[R=301,L]
/VirtualHost
Richard L. Buskirk
-Original Message-
From: Geoff Shang [mailto:ge...@quitelikely.com]
Sent: Thursday, May 26, 2011 3:38 PM
To: php-general@lists.php.net
Subject: [PHP] Detecting HTTPS connections under Apache
Hi,
Apologies if this is covered somewhere but I've searched fairly
extensively and not found anything.
I'm working on an application which has a function for redirecting to a
given URL. This is generally used for redirecting after a form has been
submitted.
Right now it sends an HTTP URL in the redirection, which means it can't
work under a secure connection.
I'd like to be able to use it over HTTPS but don't want to force people to
do this. So ideally I'd like to be able to detect the protocol in use
and send the appropriate protocol in the Location header.
The problem is that, at least on the system I'm working on, I can't see
any way of detecting the protocol. _SERVER[SERVER_SIGNATURE] and
_SERVER[SERVER_ADDR] both give the port as 80, even if I specify port
443 in the URL. I've seen references to _SERVER[HTTPS] or something
similar but it's not in the output I get from either print_r ($_SERVER)
or phpinfo ().
I'm running PHP Version 5.3.3-7+squeeze1 on Apache/2.2.16 (Debian). The
machine is an x86-64 VPS running Debian Squeeze.
I have full access to the VPS, so if something needs tweeking in Apache
(or anything else) then I can do this.
Thanks in advance,
Geoff.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Detecting HTTPS connections under Apache
On Thu, 26 May 2011, ad...@buskirkgraphics.com wrote:
The %{HTTPS} variable is not an Apache core variable. A more-portable
solution is to check %{SERVER_PORT} for port 80 or port 443 -- or for not
port 80 or not port 443.
ah but this doesn't actually work for me, I get 80 regardless of whether I
use HTTP or HTTPS, even if I use https://example.com:443
Also, you're requiring an *exact* match on not /user or not /admin,
meaning that directory and file paths below these directories will not be
matched -- They will always be redirected by the second rule.
{snip other rewrite stuff}
uh... I didn't say anything about matching URL patterns or the like. I
just want my application to do whatever is already being done. And
hard-coding URL paths is a bad idea because someone else might want to
install the code under some other path.
I don't really want to use rewrite rules to achieve this. If I did, every
time my code redirects the browser, it will cause a rewrite from an HTTP
URL to an HTTPS URL, which surely is inefficient.
Surely it should be simple enough for me to detect whichever is being used
and continue to use it. This makes my code separate from whatever the
webmaster decides to do regarding being secure or not.
Geoff.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Detecting HTTPS connections under Apache
So when you echo $_SERVER['SERVER_PORT'];
You get port 80 even if the url currently is https://www.yoursite.com ?
If this is the case good luck. Because you have serious issues.
Richard L. Buskirk
-Original Message-
From: Geoff Shang [mailto:ge...@quitelikely.com]
Sent: Thursday, May 26, 2011 5:29 PM
To: ad...@buskirkgraphics.com
Cc: php-general@lists.php.net
Subject: RE: [PHP] Detecting HTTPS connections under Apache
On Thu, 26 May 2011, ad...@buskirkgraphics.com wrote:
The %{HTTPS} variable is not an Apache core variable. A more-portable
solution is to check %{SERVER_PORT} for port 80 or port 443 -- or for not
port 80 or not port 443.
ah but this doesn't actually work for me, I get 80 regardless of whether I
use HTTP or HTTPS, even if I use https://example.com:443
Also, you're requiring an *exact* match on not /user or not /admin,
meaning that directory and file paths below these directories will not be
matched -- They will always be redirected by the second rule.
{snip other rewrite stuff}
uh... I didn't say anything about matching URL patterns or the like. I
just want my application to do whatever is already being done. And
hard-coding URL paths is a bad idea because someone else might want to
install the code under some other path.
I don't really want to use rewrite rules to achieve this. If I did, every
time my code redirects the browser, it will cause a rewrite from an HTTP
URL to an HTTPS URL, which surely is inefficient.
Surely it should be simple enough for me to detect whichever is being used
and continue to use it. This makes my code separate from whatever the
webmaster decides to do regarding being secure or not.
Geoff.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
