Detecting HTTPS vs HTTP on server sending back nothing useful

Question

So kind of very similar to "Detecting https requests in php":

Want to have https://example.com/pog.php go to http://example.com/pog.php or even vice versa.

Problems:

• Can't read anything from $_SERVER["HTTPS"] since it's not there
• Server is sending both requests over port 80, so can't check for 443 on the HTTPS version
• apache_request_headers() and apache_response_headers() are sending back the same thing
• Can't tell the loadbalancer anything or have it send extra somethings
• Server feedback data spat out by the page on both URL calls is exactly the same save for the session ID. Bummer.

Are there any on page ways to detect if it's being called via SSL or non-SSL?

Edit: $_SERVER["HTTPS"] isn't there, switched on or not, no matter if you're looking at the site via SSL or non-SSL. For some reason the hosting has chosen to serve all the HTTPS requests encrypted, but down port 80. And thusly, the $_SERVER["HTTPS"] is never on, not there, just no helpful feedback on that server point. So that parameter is always be empty.

(And yeah, that means it gets flagged in say FF or Chrome for a partially invalid SSL certificate. But that part doesn't matter.)

Also, the most that can be gotten from detecting the URL is up to the point of the slashes. The PHP can't see if the request has https or http at the front.

Answer 1

Try using $_SERVER["HTTPS"]. According to the PHP documentation, this will be set to a non-empty value if the server is connected securely. It won't have a value if the connection is not secure, which may be why it's "not there" for you.

if(empty($_SERVER["HTTPS"])) {
    echo 'Not secure';
} else {
    echo 'Secure';
}

Depending on how you want to redirect the user, you'd send redirect headers either in the "Not secure" or the "secure" part of the condition above. Just rebuild the URL based on what was sent to the server, replacing the http with https or vice-versa.

Answer 2

Keyword -- Load Balancer

The problem boils down to the fact that the load balancer is handling SSL encryption/decryption and it is completely transparent to the webserver.

Request:  Client -> 443or80 -> loadbalancer -> 80 -> php
Response: PHP -> 80 -> loadbalancer -> 443or80 -> Client

The real question here is "do you have control over the load balancer configuration?"

---

If you do, there are a couple ways to handle it. Configure the load balancer to have seperate service definitions for HTTP and HTTPS. Then send HTTP traffic to port 80 of the web servers, and HTTPS traffic to port 81 of the webservers. (port 81 is not used by anything else).

In apache, configure two different virtual hosts:

<VirtualHost 1.2.3.4:80>
   ServerName foo.com
   SetEnv USING_HTTPS 0
   ...
</VirtualHost>

<VirtualHost 1.2.3.4:81>
   ServerName foo.com
   SetEnv USING_HTTPS 1
   ...
</VirtualHost>

Then, the environment variable "USING_HTTPS" will be either 1|0, depending on which virtual host picked it up. That will be available in the $_SERVER array in PHP. Isn't that cool?

---

If you do not have access to the Load Balancer configuration, then things are a bit tricker. There will not be a way to definitively know if you are using HTTP or HTTPS, because HTTP and HTTPS are protocols. They specify how to connect and what format to send information across, but in either case, you are using HTTP 1.1 to make the request. There is no information in the actual request to say if it is HTTP or HTTPS.

But don't lose heart. There are a couple of ideas.

The 6th parameter to PHP's setcookie() function can instruct a client to send the cookie ONLY over HTTPS connections (http://www.php.net/setcookie). Perhaps you could set a cookie with this parameter and then check for it on subsequent requests?

Another possibility would be to use javascript to update the links on each page depending on the protocol (adding a GET parameter).

(neither of the above would be bullet proof)

Another pragmatic option would be to get your SSL on a different domain, such as "secure.foo.com". Then you could resort to the VirtualHost trick above.

---

I know this isn't the easiest issue because I deal with it during the day (load balanced web cluster behind a Cisco CSS load balancer with SSL module).

Finally, you can always take the perspective that your web app should switch to SSL mode when needed, and trust the users NOT to move it back (after all, it is their data on the line (usually)).

Hope it helps a bit.

Answer 3

$_SERVER["HTTPS"] isn't there, switched on or not, no matter if you're looking at the site via SSL or non-SSL. For some reason the hosting has chosen to serve all the HTTPS requests encrypted, but down port 80. And thusly, the $_SERVER["HTTPS"] is never on, not there, just no helpful feedback on that server point. So that parameter is always be empty.

You gotta make sure that the provider has the following line in the VHOST entry for your site: SSLOptions +StdEnvVars. That line tells Apache to include the SSL variables in the environment for your scripts (PHP).