[wp-hackers] Make WP more usable behind load balancers/proxies

Andrew Nacin wp at andrewnacin.com
Wed Oct 16 04:32:19 UTC 2013


On Tue, Oct 15, 2013 at 1:52 PM, Hauke <mailman at haukebruno.de> wrote:

> is it possible to change code lines like
>
> $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] .
> $_SERVER['REQUEST_URI'] );
>
> into something like this:
>
> if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
>   $serverhost = $_SERVER['HTTP_X_FORWARDED_HOST'];
> } else {
>    $serverhost = 'http://' . $_SERVER['HTTP_HOST'];
> }
> $current_url = set_url_scheme( $serverhost . $_SERVER['REQUEST_URI'] );
>

Many load balancers and proxy servers forward HTTP headers for HTTPS, IP
addresses, and more. These typically take the form of HTTP_X_FORWARDED_FOR
(X-Forwarded-For), for remote IP addresses, and HTTP_X_FORWARDED_PROTO
(X-Forwarded-Proto), for whether traffic is going over the HTTPS protocol.
Occasionally other information needs to be forwarded, like the server port
or hostname.

If WordPress blindly listened to these headers — especially for protocols —
there is a risk of infinite redirects and general breakage. To make matters
worse, these are not formal standards, and are rather freeform. As a
result, many web server and configurations do this differently. For
example, one configuration might prepend “HTTP_”, resulting in HTTP_HTTPS.
What should be done instead is a server should either pass properly mapped
headers to PHP, or some code can do the mapping in wp-config.php. For
example:

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' ===
$_SERVER['HTTP_X_FORWARDED_PROTO'] ) )
    $_SERVER['HTTPS'] = 'on';

See also:
http://core.trac.wordpress.org/ticket/9235
http://core.trac.wordpress.org/ticket/15009
http://core.trac.wordpress.org/ticket/15733
http://core.trac.wordpress.org/ticket/19337
http://core.trac.wordpress.org/ticket/24394
etc.

Nacin


More information about the wp-hackers mailing list