1

I want to detect whether the user is navigating via http or https and switch to https on certain areas of the website. The problem is that my server doesn't display $_SERVER['HTTPS'] so I guess I will have to configure php.ini to show it.

I can't seem to figure it out, what values to change on the php ini to show that.

Thank you.

Edit: I am not trying to find an alternative way to detect https usage. I am asking how can I edit php.ini so that $_SERVER['HTTPS'] will display the value when I access https://

Edit2: Maybe it wasn't clear enough. THE $_SERVER['HTTPS'] DOESN'T EXIST AT ALL

Update/Answer: Thanks to @Sheriff I put

fastcgi_param   HTTPS               on;
fastcgi_param   HTTP_SCHEME         https;

inside this block on my virtual hosts file location ~ .php$ { }

And now $_SERVER displays

[HTTPS] => on
[HTTP_SCHEME] => https

Previously It didn't work because I put the fastcgi param values in the server block. Silly me.

inrob
  • 4,969
  • 11
  • 38
  • 51
  • `$_SERVER['HTTPS']` only shows up when accessing the server through a secure sockets layer(SSL) connection – iam-decoder Oct 12 '15 at 21:07
  • Yes and I have accessed it via https still doesn't show it. – inrob Oct 12 '15 at 21:08
  • @bornie not all servers populate the `HTTPS` element. it might be better to check if the site is being accessed through port 443. The port being used is pretty much always populated. – iam-decoder Oct 12 '15 at 21:10
  • Yes but "$_SERVER['SERVER_PORT'] can be tricky... for example ispconfig uses port 81 as secure port " – inrob Oct 12 '15 at 21:11
  • What webserver are you using? As @iam-decoder pointed out, not all servers populate that element. In Apache, this would be SetEnv HTTPS on – Nigel Tufnel Oct 12 '15 at 21:19
  • @bornie, you were clear that the $_SERVER['HTTPS'] variable does not exist in your PHP environment. What you haven't made clear is what web server you are using. – Nigel Tufnel Oct 12 '15 at 21:28
  • As I said I am using nginx/php-fpm – inrob Oct 12 '15 at 21:32
  • Sorry. I see that now in response to @Sherif's answer. Still, would be helpful to put that info in the original question. His advice is solid. – Nigel Tufnel Oct 12 '15 at 21:39

1 Answers1

1

There are no php.ini configurations for $_SERVER['HTTPS']. This key is set to a non-empty value only if the request was made over HTTPS. Meaning, if (!empty(filter_var($_SERVER['HTTPS'], FILTER_VALIDATE_BOOLEAN))) { /* request was made over https */ }.

See the manual for more details...

'HTTPS'

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note:

Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

filter_var with FILTER_VALIDATE_BOOLEAN will return a boolean false when this value is "0", "false", "off", "no", "", or NULL.

Keep In mind

It's also important remember that PHP only populates $_SERVER['HTTPS'] from information it obtains through the SAPI (Server API) that it uses to communicate with your web server software. So this could be mod_php, or fcgi, etc... Typically this data gets populated from environment variables that PHP copies from your web server through the SAPI. By default Apache httpd will include the HTTPS environment variable when the connection is made over HTTPS, however nginx will not if you're using fastcgi_pass. You need to configure this yourself by modifying your nginx config to set a fastcgi_param for HTTPS. This will allow nginx to notify php-fpm of the environment variable over fastcgi and it can be populated in your PHP accordingly.

Also note, that this can be made even more complicated if you're using nginx as a reverse proxy since the reverse proxy will also have to pass along the information to the proxied node the same way.

Important Note

However, you should note that using PHP to redirect to HTTPS by default is probably a bad idea. It's better to configure your webserver to do this instead.

For example, in Apache httpd you can configure your VHOST to redirect all HTTP traffic to HTTPS by default, which probably going to be safer and easier in case you happen to forget this in some PHP end-point. That is assuming your intentions here are to enforce HTTPS across your entire site or some specific domain.

Community
  • 1
  • 1
Sherif
  • 11,786
  • 3
  • 32
  • 57
  • Yes I am aware of that. But I don't mind other parts of the website to be http. I just want the https on login page. – inrob Oct 12 '15 at 21:20
  • Your if {} block code doesn't work however in my server. I put an echo "https access"; inside the if block to see if php would detect but no – inrob Oct 12 '15 at 21:24
  • What webserver software are you using? e.g. Apache httpd with mod_php, nginx with php-fpm, etc..? – Sherif Oct 12 '15 at 21:28
  • Hi sherif, nginx php-fpm – inrob Oct 12 '15 at 21:30
  • That explains it then. Nginx doesn't pass the variable by default to the PHP-FPM daemon when you use `fastcgi_pass`, In order to make PHP-FPM aware of your HTTPs setup, you need to add a `fastcgi_param` environment variable to the config. For example, in your 443 vhost config you can add something like `fastcgi_param HTTPS 'on';` to get `$_SERVER['HTTPS']` in PHP. – Sherif Oct 12 '15 at 21:33
  • Updated the answer for you above – Sherif Oct 12 '15 at 21:37
  • Thanks sheriff, when I apply that setting I seem to get more items in the $_SERVER array but not the https. Maybe the problem lies somewhere else. Thanks for your time. – inrob Oct 12 '15 at 21:50
  • Here's a more detailed tutorial you might find helpful on the topic https://ma.ttias.be/setting-https-server-variables-in-php-fpm-with-nginx/ Also have a look at the nginx docs for more information https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/ – Sherif Oct 12 '15 at 21:58
  • Thanks, Never mind. I put the fastcgi params inside the server block not the location : {} block. Thank you again for your solution! – inrob Oct 12 '15 at 21:59
  • You can also save all your params in a separate file add it to the server block by including it (**just make sure it's the SSL server block only**). That's what a lot of people do anyway. See http://claylo.com/post/7617674014/ssl-php-fpm-and-nginx as another example of that. But here I was just giving a quick and dirty example without expanding on all the additional details :p – Sherif Oct 12 '15 at 22:04
  • Yes, well now that you made it possible, it doesn't hurt to know the alternative way. Thanks. – inrob Oct 12 '15 at 22:09