当代理*始终*声明安全连接时检测SSL [英] Detect SSL when proxy *always* claims a secure connection

问题描述

我想检测用户是否正在查看安全页面，如果没有，则需要重定向（用于登录）。

I want to detect whether or not a user is viewing a secure page and redirect if not (for logging in).

然而，在我看到服务器变量和代理（现在）告诉我 $ _ SERVER ['HTTPS'] 'on'。当用户安全导航时，它还会在'上显示。

However, my site travels through a proxy before I see the server variables and the proxy (right now) is telling me that $_SERVER['HTTPS'] is 'on' when the URI clearly indicates otherwise. It also shows 'on' when the user is navigating 'securely'.

浏览 http：// 和 https：// 输出 $ _ SERVER ['SERVER_PORT'] = 443 。

我无法对代理进行任何更改，所以我想知道：

I don't have the ability to make any changes to the proxy so I want to know:

• PHP有没有其他选择让我能够发现真相或......


• 我是否坚持使用JavaScript的检测和重定向机制。

我开采这个问题的想法，但他们主要围绕 $ _ SERVER ['HTTPS'] 变量值得信赖。呸！

I mined this question for ideas but they mostly revolve around the $_SERVER['HTTPS'] variable being trustworthy. Bah!

似乎这个问题正在经历至少类似的事情，但是他/她能够通过调整apache解决方案来解决它。

It appears that this question is experiencing at least something similar, but s/he was able to resolve it by adapting an apache solution.

是否有任何其他PHP SERVER变量或技巧可用于检测用户的URI开头的内容？当我的网站被查看http与https时，$ _SERVER变量之间的唯一区别如下：

Are there any other PHP SERVER variables or tricks available to detect what the user's URI begins with? The only difference between the $_SERVER variables when my site is viewed http versus https are the following:

• _FCGI_X_PIPE_（随机出现）


• HTTP_COOKIE（sto-id-47873包含在非安全版本中，但我没有将其放在那里）


• REMOTE_ADDR（这个和接下来的两个不断改变莫名其妙！）


• REMOTE_HOST


• REMOTE_PORT（ '代理人'，你为什么要不断改变这个？）

• _FCGI_X_PIPE_ (appears random)
• HTTP_COOKIE (sto-id-47873 is included in the non-secure version but I did not put it there)
• REMOTE_ADDR (This and the next two keep changing inexplicably!)
• REMOTE_HOST
• REMOTE_PORT ('proxy people', why are you continually changing this?)

这些物品中的任何一个都足够强大，无需承担重量分裂并导致疼痛？也许我不应该相信通过代理过滤的任何东西，因为它可能在任何给定的时间发生变化。

Are any of these items strong enough to put one's weight upon without it splintering and causing pain later? Perhaps I shouldn't trust anything as filtered through the proxy since it could change at any given time.

这是我计划将JavaScript用于此目的;这是我最好的吗？

Here is my plan to use JavaScript for this purpose; is it the best I have?

function confirmSSL() {
    if(location.protocol != "https:") {
        var locale = location.href;
        locale = locale.replace(/http:\/\//,"https://");
        location.replace(locale);
    }
}
<body onLoad="confirmSSL()">...

我认为如果用户在我的社区中禁用了JavaScript，那么他们希望知道他们在做什么。他们应该能够手动进入安全区域。什么样的< noscript> 建议是常见的/良好做法？或许是这样的事情？：

I think if the user has JavaScript disabled in my community, then they hopefully know what they are doing. They should be able to manually get themselves into a secure zone. What sort of <noscript> suggestions would be commonplace / good practice? Something like this, perhaps?:

< noscript> 使用 https：//blah.more.egg/fake 以保护您的信息。< / noscript>

<noscript>Navigate using https://blah.more.egg/fake to protect your information.</noscript>

有效的PHP解决方案（有很好的解释）将优先考虑正确答案。随意提交更好的JavaScript实现或链接到一个。

PHP solutions that work (with good explanation) will be given preference for the correct answer. Feel free to submit a better JavaScript implementation or link to one.

非常感谢！

推荐答案

虽然在问题的评论中已经部分讨论过，但我将总结一些关于JavaScript中重定向逻辑的建议：

Although already partially discussed in the question's comments, I'll summarize some suggestions concerning the redirection logic in JavaScript:

1. 通常使用 window.location 而不是 location 是可取的，可以找到解释。


2. 对于简单替换协议，正则表达式似乎有些过分。


3. 重定向逻辑应该尽快执行，因为在重定向的情况下，每个额外的文档处理都是不必要的。


4. 禁用JavaScript的浏览器至少应该显示提示用户切换到https的通知。

1. Generally using window.location instead of location is advisable, an explanation can be found here.
2. Regex seems like a bit of an overkill for a simple replacement of the protocol.
3. The redirection logic should be executed as soon as possible, because in the event of redirection, every additional document processing is unnecessary.
4. Browsers with JavaScript disabled should at least show a notification prompting the user to switch to https.

我建议使用以下代码（从），简短而有效：

I suggest using the following code (adopted from here), which is short and efficient:

<head>
    <script type="text/javascript">
        if (window.location.protocol != "https:") {
            window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
        }
    </script>
    ...
</head>
<body>
    ...
    <noscript>Please click <a href="https://my-cool-secure-site.com">here</a> to use a secure connection!</noscript>
    ...

这篇关于当代理*始终*声明安全连接时检测SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！