当代理*始终*声明安全连接时检测SSL [英] Detect SSL when proxy *always* claims a secure connection
问题描述
我想检测用户是否正在查看安全页面,如果没有,则需要重定向(用于登录)。
I want to detect whether or not a user is viewing a secure page and redirect if not (for logging in).
然而,在我看到服务器变量和代理(现在)告诉我 $ _ SERVER ['HTTPS']
'on'
。当用户安全导航时,它还会在'上显示。
However, my site travels through a proxy before I see the server variables and the proxy (right now) is telling me that $_SERVER['HTTPS']
is 'on'
when the URI clearly indicates otherwise. It also shows 'on'
when the user is navigating 'securely'.
浏览 http://
和 https://
输出 $ _ SERVER ['SERVER_PORT']
= 443
。
我无法对代理进行任何更改,所以我想知道:
I don't have the ability to make any changes to the proxy so I want to know:
- PHP有没有其他选择让我能够发现真相或......
- 我是否坚持使用JavaScript的检测和重定向机制。
我开采这个问题的想法,但他们主要围绕 $ _ SERVER ['HTTPS']
变量值得信赖。呸!
I mined this question for ideas but they mostly revolve around the $_SERVER['HTTPS']
variable being trustworthy. Bah!
似乎这个问题正在经历至少类似的事情,但是他/她能够通过调整apache解决方案来解决它。
It appears that this question is experiencing at least something similar, but s/he was able to resolve it by adapting an apache solution.
是否有任何其他PHP SERVER变量或技巧可用于检测用户的URI开头的内容?当我的网站被查看http与https时,$ _SERVER变量之间的唯一区别如下:
Are there any other PHP SERVER variables or tricks available to detect what the user's URI begins with? The only difference between the $_SERVER variables when my site is viewed http versus https are the following:
- _FCGI_X_PIPE_(随机出现)
- HTTP_COOKIE(sto-id-47873包含在非安全版本中,但我没有将其放在那里)
- REMOTE_ADDR(这个和接下来的两个不断改变莫名其妙!)
- REMOTE_HOST
- REMOTE_PORT( '代理人',你为什么要不断改变这个?)
- _FCGI_X_PIPE_ (appears random)
- HTTP_COOKIE (sto-id-47873 is included in the non-secure version but I did not put it there)
- REMOTE_ADDR (This and the next two keep changing inexplicably!)
- REMOTE_HOST
- REMOTE_PORT ('proxy people', why are you continually changing this?)
这些物品中的任何一个都足够强大,无需承担重量分裂并导致疼痛?也许我不应该相信通过代理过滤的任何东西,因为它可能在任何给定的时间发生变化。
Are any of these items strong enough to put one's weight upon without it splintering and causing pain later? Perhaps I shouldn't trust anything as filtered through the proxy since it could change at any given time.
这是我计划将JavaScript用于此目的;这是我最好的吗?
Here is my plan to use JavaScript for this purpose; is it the best I have?
function confirmSSL() {
if(location.protocol != "https:") {
var locale = location.href;
locale = locale.replace(/http:\/\//,"https://");
location.replace(locale);
}
}
<body onLoad="confirmSSL()">...
我认为如果用户在我的社区中禁用了JavaScript,那么他们希望知道他们在做什么。他们应该能够手动进入安全区域。什么样的< noscript>
建议是常见的/良好做法?或许是这样的事情?:
I think if the user has JavaScript disabled in my community, then they hopefully know what they are doing. They should be able to manually get themselves into a secure zone. What sort of <noscript>
suggestions would be commonplace / good practice? Something like this, perhaps?:
< noscript>
使用 https://blah.more.egg/fake 以保护您的信息。< / noscript>
<noscript>
Navigate using https://blah.more.egg/fake to protect your information.</noscript>
有效的PHP解决方案(有很好的解释)将优先考虑正确答案。随意提交更好的JavaScript实现或链接到一个。
PHP solutions that work (with good explanation) will be given preference for the correct answer. Feel free to submit a better JavaScript implementation or link to one.
非常感谢!
推荐答案
虽然在问题的评论中已经部分讨论过,但我将总结一些关于JavaScript中重定向逻辑的建议:
Although already partially discussed in the question's comments, I'll summarize some suggestions concerning the redirection logic in JavaScript:
- 通常使用
window.location
而不是location
是可取的,可以找到解释。 - 对于简单替换协议,正则表达式似乎有些过分。
- 重定向逻辑应该尽快执行,因为在重定向的情况下,每个额外的文档处理都是不必要的。
- 禁用JavaScript的浏览器至少应该显示提示用户切换到https的通知。
- Generally using
window.location
instead oflocation
is advisable, an explanation can be found here. - Regex seems like a bit of an overkill for a simple replacement of the protocol.
- The redirection logic should be executed as soon as possible, because in the event of redirection, every additional document processing is unnecessary.
- Browsers with JavaScript disabled should at least show a notification prompting the user to switch to https.
我建议使用以下代码(从),简短而有效:
I suggest using the following code (adopted from here), which is short and efficient:
<head>
<script type="text/javascript">
if (window.location.protocol != "https:") {
window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
}
</script>
...
</head>
<body>
...
<noscript>Please click <a href="https://my-cool-secure-site.com">here</a> to use a secure connection!</noscript>
...
这篇关于当代理*始终*声明安全连接时检测SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!