From ee05fe81a4515621546fbd4f034b6b496f63fae1 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Tue, 4 Sep 2012 09:56:30 -0700
Subject: [PATCH] Add redirect to HTTPS option

Summary: Rehash of D3411. In cgi/fcgi setups we have no idea if the request is HTTP or HTTPS as far as I can tell, so make this config-triggered again. Also handle @vrana's "off" case.

Test Plan: Set this flag, observed redirect to https when `$_SERVER['HTTPS']` was absent.

Reviewers: nh, vrana

Reviewed By: nh

CC: aran

Differential Revision: https://secure.phabricator.com/D3420
---
 conf/default.conf.php                         | 19 +++++++++++++++++++
 src/aphront/AphrontRequest.php                | 10 ++++++++++
 .../AphrontApplicationConfiguration.php       |  9 +++++++++
 3 files changed, 38 insertions(+)

diff --git a/conf/default.conf.php b/conf/default.conf.php
index a335106758..b1754e2ff5 100644
--- a/conf/default.conf.php
+++ b/conf/default.conf.php
@@ -55,6 +55,25 @@ return array(
   // string), but doing so will break existing sessions and CSRF tokens.
   'security.hmac-key' => '[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw',
 
+  // If the web server responds to both HTTP and HTTPS requests but you want
+  // users to connect with only HTTPS, you can set this to true to make
+  // Phabricator redirect HTTP requests to HTTPS.
+  //
+  // Normally, you should just configure your server not to accept HTTP traffic,
+  // but this setting may be useful if you originally used HTTP and have now
+  // switched to HTTPS but don't want to break old links, or if your webserver
+  // sits behind a load balancer which terminates HTTPS connections and you
+  // can not reasonably configure more granular behavior there.
+  //
+  // NOTE: Phabricator determines if a request is HTTPS or not by examining the
+  // PHP $_SERVER['HTTPS'] variable. If you run Apache/mod_php this will
+  // probably be set correctly for you automatically, but if you run Phabricator
+  // as CGI/FCGI (e.g., through nginx or lighttpd), you need to configure your
+  // web server so that it passes the value correctly based on the connection
+  // type. Alternatively, you can add a PHP snippet to the top of this
+  // configuration file to directly set $_SERVER['HTTPS'] to the correct value.
+  'security.require-https' => false,
+
 
 // -- Internationalization -------------------------------------------------- //
 
diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
index 8e57d77189..2b153d2f37 100644
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@@ -327,4 +327,14 @@ final class AphrontRequest {
     return $_SERVER['REMOTE_ADDR'];
   }
 
+  public function isHTTPS() {
+    if (empty($_SERVER['HTTPS'])) {
+      return false;
+    }
+    if (!strcasecmp($_SERVER["HTTPS"], "off")) {
+      return false;
+    }
+    return true;
+  }
+
 }
diff --git a/src/aphront/configuration/AphrontApplicationConfiguration.php b/src/aphront/configuration/AphrontApplicationConfiguration.php
index 4d73206c9c..8220980ba6 100644
--- a/src/aphront/configuration/AphrontApplicationConfiguration.php
+++ b/src/aphront/configuration/AphrontApplicationConfiguration.php
@@ -119,6 +119,15 @@ abstract class AphrontApplicationConfiguration {
     $request = $this->getRequest();
     $path = $request->getPath();
 
+    if (PhabricatorEnv::getEnvConfig('security.require-https')) {
+      if (!$request->isHTTPS()) {
+        $uri = $request->getRequestURI();
+        $uri->setDomain($request->getHost());
+        $uri->setProtocol('https');
+        return $this->buildRedirectController($uri);
+      }
+    }
+
     list($controller, $uri_data) = $this->buildControllerForPath($path);
     if (!$controller) {
       if (!preg_match('@/$@', $path)) {