如何在没有 $_SERVER['HTTPS'] 的情况下确定您是否使用 HTTPS
我在网上看到很多教程说你需要检查 $_SERVER['HTTPS']
如果服务器的连接是用 HTTPS 保护的.我的问题是,在我使用的某些服务器上,$_SERVER['HTTPS']
是一个未定义的变量,会导致错误.是否有另一个我可以检查的变量应该始终定义?
为了清楚起见,我目前正在使用此代码来解析它是否是 HTTPS 连接:
if(isset($_SERVER['HTTPS'])) {if ($_SERVER['HTTPS'] == "on") {$secure_connection = 真;}}
解决方案 即使 $_SERVER['HTTPS']
未定义,这也应该始终有效:
function isSecure() {返回(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')||$_SERVER['SERVER_PORT'] == 443;}
代码与 IIS 兼容.
来自 PHP.net 文档和用户评论:
<块引用>如果脚本是通过 HTTPS 协议查询的,则设置为非空值.
请注意,将 ISAPI 与 IIS 一起使用时,该值将为关闭";如果请求不是通过 HTTPS 协议发出的.(对于作为 Fast-CGI 应用程序运行 PHP 的 IIS7,已报告了相同的行为).
此外,即使安全连接,Apache 1.x 服务器(和损坏的安装)也可能没有定义 $_SERVER['HTTPS']
.虽然不能保证,但根据约定,端口 443 上的连接很可能使用 安全套接字,因此需要额外的端口检查.
附加说明:如果客户端和您的服务器之间存在负载均衡器,则此代码不会测试客户端与负载均衡器之间的连接,而是测试负载均衡器与您的服务器之间的连接.要测试之前的连接,您必须使用 HTTP_X_FORWARDED_PROTO
标头进行测试,但这样做要复杂得多;请参阅此答案下方的最新评论.
I've seen many tutorials online that says you need to check $_SERVER['HTTPS']
if the server is connection is secured with HTTPS. My problem is that on some of the servers I use, $_SERVER['HTTPS']
is an undefined variable that results in an error. Is there another variable I can check that should always be defined?
Just to be clear, I am currently using this code to resolve if it is an HTTPS connection:
if(isset($_SERVER['HTTPS'])) {
if ($_SERVER['HTTPS'] == "on") {
$secure_connection = true;
}
}
解决方案
This should always work even when $_SERVER['HTTPS']
is undefined:
function isSecure() {
return
(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|| $_SERVER['SERVER_PORT'] == 443;
}
The code is compatible with IIS.
From the PHP.net documentation and user comments :
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note that when using ISAPI with IIS, the value will be "off" if the request was not made through the HTTPS protocol. (Same behaviour has been reported for IIS7 running PHP as a Fast-CGI application).
Also, Apache 1.x servers (and broken installations) might not have $_SERVER['HTTPS']
defined even if connecting securely. Although not guaranteed, connections on port 443 are, by convention, likely using secure sockets, hence the additional port check.
Additional note: if there is a load balancer between the client and your server, this code doesn't test the connection between the client and the load balancer, but the connection between the load balancer and your server. To test the former connection, you would have to test using the HTTP_X_FORWARDED_PROTO
header, but it's much more complex to do; see latest comments below this answer.
相关文章