[wp-hackers] Make WP more usable behind load balancers/proxies

Andrew Nacin wp at andrewnacin.com
Wed Oct 16 04:32:19 UTC 2013

On Tue, Oct 15, 2013 at 1:52 PM, Hauke <mailman at haukebruno.de> wrote:

> is it possible to change code lines like
> $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] .
> into something like this:
> if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
>   $serverhost = $_SERVER['HTTP_X_FORWARDED_HOST'];
> } else {
>    $serverhost = 'http://' . $_SERVER['HTTP_HOST'];
> }
> $current_url = set_url_scheme( $serverhost . $_SERVER['REQUEST_URI'] );

Many load balancers and proxy servers forward HTTP headers for HTTPS, IP
addresses, and more. These typically take the form of HTTP_X_FORWARDED_FOR
(X-Forwarded-For), for remote IP addresses, and HTTP_X_FORWARDED_PROTO
(X-Forwarded-Proto), for whether traffic is going over the HTTPS protocol.
Occasionally other information needs to be forwarded, like the server port
or hostname.

If WordPress blindly listened to these headers — especially for protocols —
there is a risk of infinite redirects and general breakage. To make matters
worse, these are not formal standards, and are rather freeform. As a
result, many web server and configurations do this differently. For
example, one configuration might prepend “HTTP_”, resulting in HTTP_HTTPS.
What should be done instead is a server should either pass properly mapped
headers to PHP, or some code can do the mapping in wp-config.php. For

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' ===
    $_SERVER['HTTPS'] = 'on';

See also:


More information about the wp-hackers mailing list