See. Problem is, something within the following assignment is true such that $request_type is set to SSL. The test run by ZC is considered to be general enough to not miss that a site is setup to permit/show the content over a secure method, but also may misinterpret some signals because of the way the host has setup their system.
Basically if any one of these following sections is true (code is from includes/init_includes/init_file_db_names.php) then the software will attempt to present the page using https.
Code:
$request_type = (((isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == '1'))) ||
(isset($_SERVER['HTTP_X_FORWARDED_BY']) && strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_BY']), 'SSL') !== false) ||
(isset($_SERVER['HTTP_X_FORWARDED_HOST']) && (strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_HOST']), 'SSL') !== false || strpos(strtolower($_SERVER['HTTP_X_FORWARDED_HOST']), str_replace('https://', '', HTTPS_SERVER)) !== false)) ||
(isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && strpos(strtolower($_SERVER['HTTP_X_FORWARDED_SERVER']), str_replace('https://', '', HTTPS_SERVER)) !== false) ||
(isset($_SERVER['SCRIPT_URI']) && strtolower(substr($_SERVER['SCRIPT_URI'], 0, 6)) == 'https:') ||
(isset($_SERVER['HTTP_X_FORWARDED_SSL']) && ($_SERVER['HTTP_X_FORWARDED_SSL'] == '1' || strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) == 'on')) ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'ssl' || strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')) ||
(isset($_SERVER['HTTP_SSLSESSIONID']) && $_SERVER['HTTP_SSLSESSIONID'] != '') ||
(isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == '443') ||
(isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) ? 'SSL' : 'NONSSL';
Recently seen is when a host has setup a proxy server and haven't properly setup variables/constants correctly such as HTTP_X_FORWARDED_BY and having it set such that it is the same content as what is used for connecting to the https server. Problem is, that when there is no SSL assigned to the site, then that should not evaluate to be true. It could be other such comparisons, but there is a thread around here that describes how to setup a file to put on your server, tell your host to access the file and either explain why or correct the server settings until all is right.
But the "quick" fix would be to modify your HTTPS_SERVER setting in the includes/configure.php file as already suggested.
Would also agree to use false instead of the pair of single quotes just for consistency to the concept that is generally addressed as a boolean and the instruction of using true or false not true and left empty or something similar.
Bookmarks