force_ssl behind reverse proxy

Paul79 · May 9, 2012, 1:13pm

We have a piwik server installed behind a reverse proxy (https-to-http) and I want to use the force_ssl option. The proxy sets a HTTP header (HTTP_SESSION_ID_TAG) if the client came in through a SSL connection. Therefore I had to patch Url.php:


        static public function getCurrentScheme()
        {
            try {
                $config = Zend_Registry::get('config');
            } catch(Exception $e) {
                $config = false;
            }
                $assume_secure_protocol = $config !== false && $config->General->assume_secure_protocol;
                $has_proxy_ssl_header = isset($_SERVER['HTTP_SESSION_ID_TAG']) && !empty($_SERVER['HTTP_SESSION_ID_TAG']);
                $has_https = isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] === true);

                if($assume_secure_protocol || $has_proxy_ssl_header || $has_https)
                {
                        return 'https';
                }
                return 'http';
        }

It would be nice to have a config option for this header field. I imagine something like this:


[General] 
proxy_ssl_header = HTTP_SESSION_ID_TAG

If the proxy_ssl_header option is set Piwik should use this header field to decide if HTTP or HTTPS was used.

Best regards,
Paul

matthieu · May 9, 2012, 6:36pm

Thanks for the report.Can you please create a ticket in dev.piwik.org with your patch ?

However I don’t see any result for HTTP_SESSION_ID_TAG are you sure this is a known/valid header or is it custom to your setup?

Paul79 · May 10, 2012, 7:33am

Citrix NetScaler has a option to insert ssl based headers. I think this is a common feature for ssl offloading proxies though the name of the header may be different in other setups.