CRM_Utils_System::isSSL - support X_FORWARDED_PROTO to work behind reverse proxy

[ufundo]

Overview

Fixes incorrect SSL detection when running CiviCRM behind a reverse proxy, e.g. with Docker image behind Traefik.

Before

• in-place edit AJAX requests are generated with http:// and fail

After

• they are fine

Technical Details

Someone fixed the problem of redirect loops behind a reverse proxy in the redirectToSSL function below. I guess there were worries about other callers of isSSL - but this feels semantically correct to me.

[civibot]

🤖 Thank you for contributing to CiviCRM! ❤️ We will need to test and review this PR. 👷

Introduction for new contributors...

• If this is your first PR, an admin will greenlight automated testing with the command ok to test or add to whitelist.
• A series of tests will automatically run. You can see the results at the bottom of this page (if there are any problems, it will include a link to see what went wrong).
• A demo site will be built where anyone can try out a version of CiviCRM that includes your changes.
• If this process needs to be repeated, an admin will issue the command test this please to rerun tests and build a new demo site.
• Before this PR can be merged, it needs to be reviewed. Please keep in mind that reviewers are volunteers, and their response time can vary from a few hours to a few weeks depending on their availability and their knowledge of this particular part of CiviCRM.
• A great way to speed up this process is to "trade reviews" with someone - find an open PR that you feel able to review, and leave a comment like "I'm reviewing this now, could you please review mine?" (include a link to yours). You don't have to wait for a response to get started (and you don't have to stop at one!) the more you review, the faster this process goes for everyone 😄
• To ensure that you are credited properly in the final release notes, please add yourself to contributor-key.yml
• For more information about contributing, see CONTRIBUTING.md.

Quick links for reviewers...

• ➡️ PR Demo site (can be rebuilt with the command test this please).
• 📖 Review standards
• 🗒️ Review template (brief or verbose)

➡️ Online demo of this PR 🔗

[totten]

// FIXME: Shouldn't the X-Forwarded-Proto check be part of CRM_Utils_System::isSSL()?

So the answer is "Yes" :) I think that makes sense.

It feels like we're missing the policy mechanism to say "This app lives behind an SSL proxy" or "This app has SSL on Apache/nginx" or "This app is developmental HTTP site".

I know that X-Forwarded-For has a bit of a reputation -- you must use it if you have a proxy, and you must not use it if you don't have a proxy. (Example -- see the disclaimer at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)

X-Forwarded-Proto is not necessarily the same as X-Forwarded-For. (There's no similar warning on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto ...) I guess it all depends on how the information is used. TBH, given how isSSL() is used, I'm hard pressed (F.1) to conjure a real attack against it. OTOH, it's hard to prove something is secure (to prove that there are no vulnerabilities).

IMHO, it would be better if we used some policy flag to affirmatively indicate that the system is or is-not expecting trustworthy proxy headers. But I'm also not looking to block the PR if you're still keen.

---

(F.1: To make a go of it... Maybe, if client starts with HTTP, then a MITM could trick the app-server into thinking that the connection is more secure than it really is. But there's so little point. The fraudulent subrequest would be more convincing if it used real SSL, which it could. This doesn't confer any new access -- it just tweaks the internal-absolute URLs. Or... Maybe there's some scenario where those internal-absolute URLs are passed around -- where you send a legit HTTPS request for yourself but coerce X-Forwarded-Proto: http... and then the app generates an http: URL that is passed to another agent... and then the other agent makes an insecure request... which could be intercepted? But if your other agent is decently written, then it probably prefers HTTPS anyway. Oy. I can't say it's impossible to have a vulnerability from trusting X-Forwarded-Proto. But it depends on a lot of happenstance.)