Active SSL when server is behind loadbalancer

[EgenSajt]

Our hosting uses loadbalancers with ssl, requests are made on port 80 to the backend servers with no ssl. We are adding in apache config in backend: SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on

 

So in the PHP sees the following variables:

 

$_SERVER[sSL] => on

$_SERVER[HTTPS] => on
$_SERVER['SERVER_PORT'] = 443

 

All PHP applications works fine with this setup EXCEPT PrestaShop. Older versions of PrestaShop is working

 

When accessing the site on https, it redirects to http, something that I believe PHP should never do in any case. Nobody should ever redirect away from SSL as a general rule. To my knowledge, PrestaShop is the only PHP program doing this.

 

If we force the ssl in PrestaShop admin, we only get a redirect loop. So if anyone could give some help it would be appreciated!

Edited September 3, 2017 by EgenSajt (see edit history)

[bellini13]

If SSL is disabled in Prestashop, or force ssl is disabled, then yes of course Prestashop will redirect you to http, so that is working as it was designed to work.

If SSL is enabled, then Prestashop will try to redirect you https with port 443 as the default, so that is also working as designed.

 

Needless to say, Prestashop is not designed to work behind a load balancer in the manner you are trying.

 

There is likely some logic within the FrontController and most likely in the .htaccess rewrite rules that you will need to edit to fit your needs.

[EgenSajt]

How does prestashop decide if there is working ssl on the server? If I knew that, I could cheat prestashop with correct variable set. In older version is was:

 

$_SERVER[sSL] => on

$_SERVER[HTTPS] => on
$_SERVER['SERVER_PORT'] = 443

 

But it seems that is not enough.

[bellini13]

it would help to know which version of Prestashop you are using...

 

PS v1.7.1.2 FrontController does several checks, but one of those checks calls the usingSecureMode in the Tools class.  It is open source code, you can just start digging into it.

    public static function usingSecureMode()
    {
        if (isset($_SERVER['HTTPS'])) {
            return in_array(Tools::strtolower($_SERVER['HTTPS']), array(1, 'on'));
        }
        // $_SERVER['SSL'] exists only in some specific configuration
        if (isset($_SERVER['SSL'])) {
            return in_array(Tools::strtolower($_SERVER['SSL']), array(1, 'on'));
        }
        // $_SERVER['REDIRECT_HTTPS'] exists only in some specific configuration
        if (isset($_SERVER['REDIRECT_HTTPS'])) {
            return in_array(Tools::strtolower($_SERVER['REDIRECT_HTTPS']), array(1, 'on'));
        }
        if (isset($_SERVER['HTTP_SSL'])) {
            return in_array(Tools::strtolower($_SERVER['HTTP_SSL']), array(1, 'on'));
        }
        if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
            return Tools::strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https';
        }

        return false;
    }

however that is just one check, and then Prestashop will also add htaccess rewrite rules

 

[EgenSajt]

It's the latest version. I have set all those variables to on, and the prestashop is continuing to redirect https => http. This does not make sense for me, if access is made to https, that means that https is working. Prestashops php code is doing like this. Oh, is someone making an access on https, strange, that should not be possible, https does not exsist, lets redirect to http. Here is another one with the same opinion, he recommends not to use prestashop: https://igotaprinter.com/blog/prestashop-redirect-loop.html

Edited September 6, 2017 by EgenSajt (see edit history)

[bellini13]

Prestashop is designed to work a certain way.  If that does not work for you, it is open source, change it to the way you want it to work.

[EgenSajt]

Prestashop is designed to work a certain way.  If that does not work for you, it is open source, change it to the way you want it to work.

 

Prestashop is designed to work a certain way.  If that does not work for you, it is open source, change it to the way you want it to work.

The problem is not for us to change the code, the problem is that our hosting customers can't all be expected to change the code. We need to find which server variable we need to fake, like theese ones:

 

$_SERVER[sSL] => on

$_SERVER[HTTPS] => on
$_SERVER['SERVER_PORT'] = 443

 

But those are not enough.

 

The function usingSecureMode() is returning true on ssl exists, but the site is still redirecting from http => https.

 

 

The insane thing is that https://domain.com redirects to http://domain.com/index.php?

There must be a second check of https somewhere else, but I can't find it.

 

classes/Tools.php har now redirecting correctly to https, but some other code in another file is redirecting back to http://domain.com/index.php?

Edited October 10, 2017 by EgenSajt (see edit history)