I have site which has installed ssl certificate but it can be accessed also without it.
Till now i have used: on my pages but now i need to have some option to show different file if site has been accessed using https. Example:
If using http: to show if using https: to show instead.
Is this possible?
Thank you for any reply.
Gent.
You can check for https with
if (isset($_SERVER["HTTPS"]) AND $_SERVER["HTTPS"] == "on") {
include("file1.php");
}
else {
include("file2.php");
}
You can check if $_SERVER['HTTPS'] is non-empty:
if(!empty($_SERVER['HTTPS']))
include 'https.php';
else
include 'http.php';
If you're accessing via HTTPS, $_SERVER['HTTPS'] should be set (although this depends on server config).
You can also check which port is being used:
if($_SERVER['SERVER_PORT']==443){
}
Neither of these works in every possible config (for example behind load balancers) but they should work in straightforward setups.
Related
I have a php script which updates a database. I want to be sure that no one else can call my script remotely and execute it.
I tried this code but it did not work, the refer was always empty because I use https connection.
if (strpos($_SERVER['HTTPS_REFERER'], 'linkedfilm.com') == false)
{
exit();
}
The server is Apache server.
Thanks.
Hello Daina Hodges,
You got a few options to secure this .php script.
You can secure this script by moving it into another directory outside of your DOCUMENT_ROOT
You can add the .htaccess
You can allow only local ip
You could use .htaccess and put your script in a password protected directory.
Or you could use some sort of login and authentication routines on your site so you can login and access that script.
Or you could pass a 'secret' key with you call to the script, quick and dirty
if( $_GET['secret'] != "mysecret" ) exit();
I would like to disable SSL for certain pages which contain external content (iframes) coming from non-secure external sources. I need to disable SSL only on the pages which have insecure (iframes) content from the external websites don't use https.
This is my server environment,
Centos 6,
PHP,
Apache,
Mysql,
Regards
The problem has been solved by putting two lines of code into the header. The solution is a bit case specific but can inspire those who have similar issues. In my case I already know what the insecure content is (iframe from non-ssl external sites). And pages contain iframes are already satated in the DB. The following code helped me by disabling https where the page has iframe content.
redirection occurs if filetype='code' in the db.
<?php
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
if ($row2['filetype'] == 'code') {
header('Location: http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
exit;
}
Should we check $_SERVER['REMOTE_SERVER'] or what?
This will do the trick:
if($_SERVER['REMOTE_ADDR'] === '127.0.0.1') {
// do something
}
Be careful you don't rely on X_FORWARDED_FOR as this header can be easily (and accidentally) spoofed.
The correct way to do this would be to set an environmental variable in your server configuration and then check that. This will also allow you to toggle states between a local environment, staging and production.
This code will help you.
<?php
if($_SERVER['SERVER_NAME'] == 'localhost')
{
echo 'localhost';
}
?>
Check
$_SERVER['REMOTE_ADDR']=='127.0.0.1'
This will only be true if running locally. Be aware that this means local to the server as well. So if you have any scripts running on the server which make requests to your PHP pages, they will satisfy this condition too.
refered from :
How to check if the php script is running on a local server?
CakePHP (all versions that I've seen) check against $_SERVER['HTTPS'] to see whether a request has been made over HTTPS instead of plain HTTP.
I'm using nginx as a load balancer, behind which are the Apache application servers. Since the SSL connection terminates at the load balancer, $_SERVER['HTTPS'] is not set as far as CakePHP is concerned.
I'd like to find a secure way to detect HTTPS on the app servers.
So far, I've put this into my CakePHP configuration:
$request_headers = getallheaders();
if ( (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) || ( isset($request_headers['X-Forwarded-Proto']) && $request_headers['X-Forwarded-Proto'] == 'https' ) ) {
$ssl = true;
// overwrite environment vars (ugly) since CakePHP won't honour X-Forwarded-Proto
$_SERVER['HTTPS'] = 'on';
$_ENV['HTTPS'] = 'on';
} else {
$ssl = false;
}
And then in the nginx configuration, I've used proxy_set_header X-Forwarded-Proto https; to add the flag to any requests between the load balancer and the back-end application servers.
This works perfectly fine, but anyone making a direct request to the app servers could fool them into thinking they are browsing over SSL when they're not. I'm not sure whether this is a security risk, but it doesn't seem like a good idea.
Is it a security risk? What's the better solution?
Since using X-Forwarded-Proto seems like something of a standard, the solution may be a good patch to be submitted to the CakePHP core, so I think any answer can legitimately involve editing core files too.
Add a request detector
Do not edit the core. If your intention is to submit a patch, don't rely on your patch until after it's accepted - Otherwise you're on a road to divergence and maintaining your own fork of CakePHP.
Once you determine your exact implementation logic you can use a request detector to honor it.
for example:
//AppController::beforeFilter
public function beforeFilter() {
$this->request->addDetector('ssl', array(
'env' => 'HTTP_X_FORWARDED_PROTO',
'value' => 'https'
));
}
After this, your custom header will correctly be identified by cake as an ssl request.
Note that the keys of the $_SERVER global are normalized as all caps and underscore delimited i.e.:
$ curl --header "X-Forwarded-Proto:https" http:://yoursite.com
Will populate $_SERVER['HTTP_X_FORWARDED_PROTO'] - as such this is the key to check for.
Account for (in)security
Yes, it's something you should take care of - either disable direct
access to your webservers so that only via the ip of the loadbalancer will it respond at all; or modify your detector so that it does not return true for direct-access requests
irrespective of the value of the X-Forwarded-Proto header - as shown in the documentation you can use a callback to perform whatever logic required rather than simply testing the values of some environment variable.
mod_rpaf will let you do this.
This sets the HTTPS value in Apache to "on" based on the headers sent by nginx so Cake will work out of the box (as well as any other apps run in Apache).
It also corrects the values for REMOTE_ADDR, SERVER_PORT and HTTP_HOST.
Here is my example config:
<IfModule mod_rpaf.c>
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
</IfModule>
# If mod_rewrite redirects then we lose the HTTPS status to REDIRECT_HTTPS.
# This resets it back. This happens with Cake's front controller
<IfModule setenvif_module>
SetEnvIf REDIRECT_HTTPS on HTTPS=on
</IfModule>
I found the comment of AD7six - override the redirect() function - extremely helpful in my SSL-only setup since my app had some redirects going to http.
I just added the following to AppController.php so the redirect function always uses https:
function redirect($url, $status = NULL, $exit = true) {
return parent::redirect(str_replace('http://', 'https://', Router::url($url, true)));
}
Is it possible to configure my local setup (running Wampserver) so that my PHP application thinks HTTPS is enabled locally? The application requires HTTPS (by checking $_SERVER['HTTPS']) before doing stuff, but I don't want to go through the hassle of a full HTTPS setup locally. Thanks.
Edit: I should mention this isn't an application I wrote, just one I am tasked with maintaining. This check is performed in many places (50-100) around the server.
You can mock up this variable in your init file by adding:
$_SERVER['HTTPS'] = true;
Shouldn't be too hard. Even though it is a superglobal, you can still redefine it like any other variable. Do this at the top of your code, and when it gets to the check, it should still recognize it as true.
$_SERVER['HTTPS'] = true;
Move the check into an object
class Request
{
function isHttps()
{
// check for local site here,
// or better still, use a DevRequest class or a Mock to pass
// your local requirements
}
}
and then use
if($request->isHttps()) {...}