Add redirect to HTTPS option

Summary: Rehash of D3411. In cgi/fcgi setups we have no idea if the request is HTTP or HTTPS as far as I can tell, so make this config-triggered again. Also handle @vrana's "off" case. Test Plan: Set this flag, observed redirect to https when `$_SERVER['HTTPS']` was absent. Reviewers: nh, vrana Reviewed By: nh CC: aran Differential Revision: https://secure.phabricator.com/D3420
2024-11-22 14:52:41 +01:00 · 2012-09-04 09:56:30 -07:00 · 2012-09-04 09:56:30 -07:00 · ee05fe81a4
commit ee05fe81a4
parent e3c6dc687a
3 changed files with 38 additions and 0 deletions
--- a/conf/default.conf.php
+++ b/conf/default.conf.php
@ -55,6 +55,25 @@ return array(
  // string), but doing so will break existing sessions and CSRF tokens.
  'security.hmac-key' => '[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw',

+  // If the web server responds to both HTTP and HTTPS requests but you want
+  // users to connect with only HTTPS, you can set this to true to make
+  // Phabricator redirect HTTP requests to HTTPS.
+  //
+  // Normally, you should just configure your server not to accept HTTP traffic,
+  // but this setting may be useful if you originally used HTTP and have now
+  // switched to HTTPS but don't want to break old links, or if your webserver
+  // sits behind a load balancer which terminates HTTPS connections and you
+  // can not reasonably configure more granular behavior there.
+  //
+  // NOTE: Phabricator determines if a request is HTTPS or not by examining the
+  // PHP $_SERVER['HTTPS'] variable. If you run Apache/mod_php this will
+  // probably be set correctly for you automatically, but if you run Phabricator
+  // as CGI/FCGI (e.g., through nginx or lighttpd), you need to configure your
+  // web server so that it passes the value correctly based on the connection
+  // type. Alternatively, you can add a PHP snippet to the top of this
+  // configuration file to directly set $_SERVER['HTTPS'] to the correct value.
+  'security.require-https' => false,
+

 // -- Internationalization -------------------------------------------------- //

--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@ -327,4 +327,14 @@ final class AphrontRequest {
    return $_SERVER['REMOTE_ADDR'];
  }

+  public function isHTTPS() {
+    if (empty($_SERVER['HTTPS'])) {
+      return false;
+    }
+    if (!strcasecmp($_SERVER["HTTPS"], "off")) {
+      return false;
+    }
+    return true;
+  }
+
 }
--- a/src/aphront/configuration/AphrontApplicationConfiguration.php
+++ b/src/aphront/configuration/AphrontApplicationConfiguration.php
@ -119,6 +119,15 @@ abstract class AphrontApplicationConfiguration {
    $request = $this->getRequest();
    $path = $request->getPath();

+    if (PhabricatorEnv::getEnvConfig('security.require-https')) {
+      if (!$request->isHTTPS()) {
+        $uri = $request->getRequestURI();
+        $uri->setDomain($request->getHost());
+        $uri->setProtocol('https');
+        return $this->buildRedirectController($uri);
+      }
+    }
+
    list($controller, $uri_data) = $this->buildControllerForPath($path);
    if (!$controller) {
      if (!preg_match('@/$@', $path)) {