Binary Kitchen

"Why are secure pages in SSL mode redirected to non-secure pages?" a client of mine asked. This is a big security risk. Imagine completing a bank transaction, being redirected to another transaction page and you don't notice that the browser isn't in the SSL mode anymore. This can happen if the code behind the proxy server doesn't read the global variables properly.

Let me explain you the case. For PHP the nginx proxy server sets following global variable to 'https'

$_SERVER['HTTP_SCHEME'] = 'https';

Normally PHP doesn't set this global variable for SSL connections but this one by default:

$_SERVER['HTTPS'] = 'https';

Most PHP frameworks generate SSL links by reading $_SERVER['HTTPS'] only, for example the constructor of the Zend_View_Helper_ServerUrl class from the Zend Framework Version 1.10.4 is doing following:

    /**
     * Constructor of Zend_View_Helper_ServerUrl
     *
     * @return void
     */
    public function __construct()
    {
        if (isset($_SERVER['HTTPS']) &&
           ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] === true)) {
               
            $scheme = 'https';
        } else {
            $scheme = 'http';
        }

        $this->setScheme($scheme);

        // Do more stuff

    }


You can see, it doesn't read from the $_SERVER['HTTP_SCHEME'] global variable but $_SERVER['HTTPS']. A solution would be to overwrite the constructor by your own subclass but this is too hackish and not clean object oriented design. There is no such protected method to alter that behaviour. Therefore I reported that problem to the Zend Frameworks Issue Tracker.

For now I have coded a workaround. In the bootstrapper class I added a method called _populateGlobalVariables() which translates the global variable nginx is setting ($_SERVER['HTTP_SCHEME'])  to the default one Zend Framework can deal with ($_SERVER['HTTPS']) and the problem has been solved. All links on SSL pages are pointing to other SSL pages with the HTTPS scheme.