base href not setting correctly

[badarac]

One of my clients had an issue installing 1.5.4. PHP 5.4.22, MySQL 5.5.42-cll, Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6. The install went fine but when the catalog url was accessed noe of the css was being applied. When I investigated I found that the base href was being set to https://domain name even though ssl was not turned on in the configs. I found some code in another similar thread which had some code to test the $_SERVER globals. This doesn't seem to be working correctly as the $request_type variable is being set to SSL. I added some code to loop through and print the settings. I also had it echo the contents of $request_type before the if which tested if request_type was set to NONSSL. Here is the output of that script execution:

Code:

$_SERVER IS

Array
(
    [PATH] => /sbin:/usr/sbin:/bin:/usr/bin
    [PWD] => /usr/local/cpanel/cgi-sys
    [SHLVL] => 0
    [SCRIPT_NAME] => /ssltest.php
    [REQUEST_URI] => /ssltest.php
    [QUERY_STRING] => 
    [REQUEST_METHOD] => GET
    [SERVER_PROTOCOL] => HTTP/1.0
    [GATEWAY_INTERFACE] => CGI/1.1
    [REMOTE_PORT] => 48036
    [SCRIPT_FILENAME] => /home/domain/public_html/ssltest.php
    [SERVER_ADMIN] => [email protected]
    [DOCUMENT_ROOT] => /home/domain/public_html
    [REMOTE_ADDR] => xx.xx.xx.xx
    [SERVER_PORT] => 80
    [SERVER_ADDR] => xx.xx.xx.xx
    [SERVER_NAME] => domain.com
    [SERVER_SOFTWARE] => Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6
    [SERVER_SIGNATURE] => 
Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6 Server at domain.com Port 80


    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
    [HTTP_CONNECTION] => close
    [HTTP_X_FORWARDED_FOR] => xx.xx.xx.xx
    [HTTP_X_FORWARDED_SERVER] => domain.com
    [HTTP_X_FORWARDED_HOST] => domain.com
    [HTTP_X_REAL_IP] => xx.xx.xx.xx
    [HTTP_HOST] => domain.com
    [UNIQUE_ID] => id@xxxxx
    [FCGI_ROLE] => RESPONDER
    [PHP_SELF] => /ssltest.php
    [REQUEST_TIME_FLOAT] => 1430237242.92
    [REQUEST_TIME] => 1430237242
    [argv] => Array
        (
        )

    [argc] => 0
)

HTTPS server https://domain.com
 
 Protocol was detected: SSL


Array
(
    [PATH] => /sbin:/usr/sbin:/bin:/usr/bin
    [PWD] => /usr/local/cpanel/cgi-sys
    [SHLVL] => 0
    [SCRIPT_NAME] => /ssltest.php
    [REQUEST_URI] => /ssltest.php
    [QUERY_STRING] => 
    [REQUEST_METHOD] => GET
    [SERVER_PROTOCOL] => HTTP/1.0
    [GATEWAY_INTERFACE] => CGI/1.1
    [REMOTE_PORT] => 48036
    [SCRIPT_FILENAME] => /home/domain/public_html/ssltest.php
    [SERVER_ADMIN] => [email protected]
    [DOCUMENT_ROOT] => /home/domain/public_html
    [REMOTE_ADDR] => xx.xx.xx.xx
    [SERVER_PORT] => 80
    [SERVER_ADDR] => xx.xx.xx.xx
    [SERVER_NAME] => domain.com
    [SERVER_SOFTWARE] => Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6
    [SERVER_SIGNATURE] => 
Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6 Server at domain.com Port 80


    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
    [HTTP_CONNECTION] => close
    [HTTP_X_FORWARDED_FOR] => xx.xx.xx.xx
    [HTTP_X_FORWARDED_SERVER] => domain.com
    [HTTP_X_FORWARDED_HOST] => domain.com
    [HTTP_X_REAL_IP] => xx.xx.xx.xx
    [HTTP_HOST] => domain.com
    [UNIQUE_ID] => id@xxxxxx
    [FCGI_ROLE] => RESPONDER
    [PHP_SELF] => /ssltest.php
    [REQUEST_TIME_FLOAT] => 1430237242.92
    [REQUEST_TIME] => 1430237242
    [argv] => Array
        (
        )

    [argc] => 0
)

This is the code I found in the other thread

PHP Code:

<?php
define('HTTPS_SERVER', 'https://put-your-https-URL-here');
$request_type = (((isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == '1'))) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_BY']) && strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_BY']), 'SSL') !== false) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_HOST']) && (strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_HOST']), 'SSL') !== false || strpos(strtolower($_SERVER['HTTP_X_FORWARDED_HOST']), str_replace('https://', '', HTTPS_SERVER)) !== false)) ||
                 (isset($_SERVER['SCRIPT_URI']) && strtolower(substr($_SERVER['SCRIPT_URI'], 0, 6)) == 'https:') ||
                 (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && ($_SERVER['HTTP_X_FORWARDED_SSL'] == '1' || strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) == 'on')) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'ssl' || strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')) ||
                 (isset($_SERVER['HTTP_SSLSESSIONID']) && $_SERVER['HTTP_SSLSESSIONID'] != '') ||
                 (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) ? 'SSL' : 'NONSSL';
if ($request_type=='NONSSL') {
  if (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) &&  strpos(strtolower($_SERVER['HTTP_X_FORWARDED_SERVER']),  str_replace('https://', '', HTTPS_SERVER)) !== false) {
    $request_type .= '<br> ... BUT HTTP_X_FORWARDED_SERVER may contain useful info. You may need to upgrade to a newer ZC version';
  }
}
echo 'Protocol detected: ' . $request_type . '<br /><br /><br /><pre>' . print_r($_SERVER, TRUE) . '</pre>';

It looks to me like

PHP Code:

(isset($_SERVER['HTTP_X_FORWARDED_HOST']) && (strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_HOST']), 'SSL') !== false || strpos(strtolower($_SERVER['HTTP_X_FORWARDED_HOST']), str_replace('https://', '', HTTPS_SERVER)) !== false)) 


should have caused NONSSL to be set. Am I interpreting this incorrectly or do I have some sort of an error or hosting config problem?

[lhungil]

Based on what you posted earlier the hosting provider is proxying HTTP traffic, which is a little unusual. This post may be relevant to your situation.

Otherwise if the hosting provider DOES proxy both HTTP and HTTPS... You may need to do some custom coding to determine when the request was HTTP vs HTTPS... Possibly checking the PORT (and overriding the detection provided by Zen Cart)...

[badarac]

Just a quick update. I went the code around it route. I added an additional test to includes/init_includes/init_file_db_names.php to test for server port 80 and set request_type to NONSSL if true.

PHP Code:

$request_type = (((isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == '1'))) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_BY']) && strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_BY']), 'SSL') !== false) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_HOST']) && (strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_HOST']), 'SSL') !== false || strpos(strtolower($_SERVER['HTTP_X_FORWARDED_HOST']), str_replace('https://', '', HTTPS_SERVER)) !== false)) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && strpos(strtolower($_SERVER['HTTP_X_FORWARDED_SERVER']), str_replace('https://', '', HTTPS_SERVER)) !== false) ||
                 (isset($_SERVER['SCRIPT_URI']) && strtolower(substr($_SERVER['SCRIPT_URI'], 0, 6)) == 'https:') ||
                 (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && ($_SERVER['HTTP_X_FORWARDED_SSL'] == '1' || strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) == 'on')) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'ssl' || strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')) ||
                 (isset($_SERVER['HTTP_SSLSESSIONID']) && $_SERVER['HTTP_SSLSESSIONID'] != '') ||
                 (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) ? 'SSL' : 'NONSSL';
$request_type = (((isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '80')) ? 'NONSSL' : 'SSL');