Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

1.6.2—infinate loop on SSL after upgrade (offload headers issues)
 
Mizpah
Member
 
Avatar
Total Posts:  54
Joined:  2009-12-09
Birmingham
 

Hi Folks,

I have a server host, who uses a cluster, and offloads SSL.  Under 1.6 we now have the ‘Offload headers’ option, which I have set to HTTPS, as this is the value the host was previously setting directly within Apache for the offload.

It now seems that this value is being ignored ?  I currently have a 310: Infinate loop, on any page where magento switches from http > https.  I can however visit a static https file without issue with a working cert (such as the path to an image).

After a lot of digging, and looking at headers with curl (-I), it appears that the value in the field ‘offload headers’ is not being sent ?

In short a query of “ curl -I -k https://dev.domain.com/customer/account/ “ (note: -k is simply due to using the dev prefix, the cert is for www) returns:

HTTP/1.1 302 Found
Date: Wed, 21 Mar 2012 11:39:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,User-Agent,Accept-Encoding
Location: https://dev.domain.com/customer/account/
Server: ******DDS1.0

The oddities being that the headers have ‘HTTP/1.1 302 Found’—when they should read HTTPS - and that it 302’s to the URL that is already present - thus infinitely redirecting to itself.

The Key points are:

The incorrect header being sent
No changes to the value in offload headers has any impact (blank, null offload_ssl, https, HTTPS etc)
This install worked perfectly on same host prior to upgrade.
A second site, upgraded in dev shows the same issues (and the lice 1.5 works just fine).
A test 1.6 ‘clean install’ with sample data has the same issue.
A test 1.5 clean install in a subdir works perfectly.

I have been trying to follow the routing as per some Alan Storm articles but it seems fiendishly complex!

Any assistance greatly appreciated!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Mizpah
Member
 
Avatar
Total Posts:  54
Joined:  2009-12-09
Birmingham
 

Thought I would close out the loop myself, hopefully this will help someone, and someone may have some better suggestions!

After far far far too much tracing (there must be an easier way), the we found a fix that involved public function getScheme() in lib/Zend/Controller/Request/Http.php, as follows: (line 1013)

public function getScheme()
{
// MD - Edit for 1.6.2 SSL Loop, original code below.
//return ($this->getServer(’HTTPS’) == ‘on’) ? self::SCHEME_HTTPS : self::SCHEME_HTTP;

return ($_SERVER[’HTTPS’] === null) ? self::SCHEME_HTTP : self::SCHEME_HTTPS;
}

I have changed the logic to pick up the global var if not null, as opposed to ‘on’.  However I note that in 1.5 that line had not changed. 

However the core issue looks more likely to be in Mage/Core/Controller/Varian/Router/Standard.php

In 1.6.2.0 this reads

/**
* Check if request URL should be secure
*
* Function redirects user to correct URL if needed
*
* @param Mage_Core_Controller_Request_Http $request
* @param string $path
* @return null
*/
protected function _checkShouldBeSecure($request, $path = ‘’)
{

if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !$request->isSecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit();
}
}

In 1.5.1.0 this reads:

protected function _checkShouldBeSecure($request, $path=’’)
{
if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !Mage::app()->getStore()->isCurrentlySecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit;
}
}

Testing the logical statement && !$request->isSecure(), traces us back through IsSecure, getScheme and getServer to get to the edit made.  Testing of the logic, seems to indicate that the output from isSecure would always lead to an incorrect result.

I am not (yet) however aware of the output of !Mage::app()->getStore()->isCurrentlySecure()) and why this was changed between 1.5 and 1.6. 

In addition I have explored all around the code in the function, isCurrentlySecure()—and this would seem to take into account the offload headers, however this never appears to be called in 1.6.

I dont like the fact that I have an edit in lib/zend, so do some testing with trying to call isCurrentlySecure, but I cant help but think they have removed the call for a reason - anyone know why this file has been changed ?

Regards,

Martin

 
Magento Community Magento Community
Magento Community
Magento Community
 
Mizpah
Member
 
Avatar
Total Posts:  54
Joined:  2009-12-09
Birmingham
 

Thought I would close out the loop myself, hopefully this will help someone, and someone may have some better suggestions!

After far far far too much tracing (there must be an easier way), the we found a fix that involved public function getScheme() in lib/Zend/Controller/Request/Http.php, as follows: (line 1013)

public function getScheme()
{
// MD - Edit for 1.6.2 SSL Loop, original code below.
//return ($this->getServer(’HTTPS’) == ‘on’) ? self::SCHEME_HTTPS : self::SCHEME_HTTP;

return ($_SERVER[’HTTPS’] === null) ? self::SCHEME_HTTP : self::SCHEME_HTTPS;
}

I have changed the logic to pick up the global var if not null, as opposed to ‘on’.  However I note that in 1.5 that line had not changed. 

However the core issue looks more likely to be in Mage/Core/Controller/Varian/Router/Standard.php

In 1.6.2.0 this reads

/**
* Check if request URL should be secure
*
* Function redirects user to correct URL if needed
*
* @param Mage_Core_Controller_Request_Http $request
* @param string $path
* @return null
*/
protected function _checkShouldBeSecure($request, $path = ‘’)
{

if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !$request->isSecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit();
}
}

In 1.5.1.0 this reads:

protected function _checkShouldBeSecure($request, $path=’’)
{
if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !Mage::app()->getStore()->isCurrentlySecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit;
}
}

Testing the logical statement && !$request->isSecure(), traces us back through IsSecure, getScheme and getServer to get to the edit made.  Testing of the logic, seems to indicate that the output from isSecure would always lead to an incorrect result.

I am not (yet) however aware of the output of !Mage::app()->getStore()->isCurrentlySecure()) and why this was changed between 1.5 and 1.6. 

In addition I have explored all around the code in the function, isCurrentlySecure()—and this would seem to take into account the offload headers, however this never appears to be called in 1.6.

I dont like the fact that I have an edit in lib/zend, so do some testing with trying to call isCurrentlySecure, but I cant help but think they have removed the call for a reason - anyone know why this file has been changed ?

Regards,

Martin

 
Magento Community Magento Community
Magento Community
Magento Community
 
Mizpah
Member
 
Avatar
Total Posts:  54
Joined:  2009-12-09
Birmingham
 

Thought I would close out the loop myself, hopefully this will help someone, and someone may have some better suggestions!

After far far far too much tracing (there must be an easier way), the we found a fix that involved public function getScheme() in lib/Zend/Controller/Request/Http.php, as follows: (line 1013)

public function getScheme()
{
// MD - Edit for 1.6.2 SSL Loop, original code below.
//return ($this->getServer(’HTTPS’) == ‘on’) ? self::SCHEME_HTTPS : self::SCHEME_HTTP;

return ($_SERVER[’HTTPS’] === null) ? self::SCHEME_HTTP : self::SCHEME_HTTPS;
}

I have changed the logic to pick up the global var if not null, as opposed to ‘on’.  However I note that in 1.5 that line had not changed. 

However the core issue looks more likely to be in Mage/Core/Controller/Varian/Router/Standard.php

In 1.6.2.0 this reads

/**
* Check if request URL should be secure
*
* Function redirects user to correct URL if needed
*
* @param Mage_Core_Controller_Request_Http $request
* @param string $path
* @return null
*/
protected function _checkShouldBeSecure($request, $path = ‘’)
{

if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !$request->isSecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit();
}
}

In 1.5.1.0 this reads:

protected function _checkShouldBeSecure($request, $path=’’)
{
if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !Mage::app()->getStore()->isCurrentlySecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit;
}
}

Testing the logical statement && !$request->isSecure(), traces us back through IsSecure, getScheme and getServer to get to the edit made.  Testing of the logic, seems to indicate that the output from isSecure would always lead to an incorrect result.

I am not (yet) however aware of the output of !Mage::app()->getStore()->isCurrentlySecure()) and why this was changed between 1.5 and 1.6. 

In addition I have explored all around the code in the function, isCurrentlySecure()—and this would seem to take into account the offload headers, however this never appears to be called in 1.6.

I dont like the fact that I have an edit in lib/zend, so do some testing with trying to call isCurrentlySecure, but I cant help but think they have removed the call for a reason - anyone know why this file has been changed ?

Regards,

Martin

 
Magento Community Magento Community
Magento Community
Magento Community
 
Mizpah
Member
 
Avatar
Total Posts:  54
Joined:  2009-12-09
Birmingham
 

Thought I would close out the loop myself, hopefully this will help someone, and someone may have some better suggestions!

After far far far too much tracing (there must be an easier way), the we found a fix that involved public function getScheme() in lib/Zend/Controller/Request/Http.php, as follows: (line 1013)

public function getScheme()
{
// MD - Edit for 1.6.2 SSL Loop, original code below.
//return ($this->getServer(’HTTPS’) == ‘on’) ? self::SCHEME_HTTPS : self::SCHEME_HTTP;

return ($_SERVER[’HTTPS’] === null) ? self::SCHEME_HTTP : self::SCHEME_HTTPS;
}

I have changed the logic to pick up the global var if not null, as opposed to ‘on’.  However I note that in 1.5 that line had not changed. 

However the core issue looks more likely to be in Mage/Core/Controller/Varian/Router/Standard.php

In 1.6.2.0 this reads

/**
* Check if request URL should be secure
*
* Function redirects user to correct URL if needed
*
* @param Mage_Core_Controller_Request_Http $request
* @param string $path
* @return null
*/
protected function _checkShouldBeSecure($request, $path = ‘’)
{

if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !$request->isSecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit();
}
}

In 1.5.1.0 this reads:

protected function _checkShouldBeSecure($request, $path=’’)
{
if (!Mage::isInstalled() || $request->getPost()) {
return;
}

if ($this->_shouldBeSecure($path) && !Mage::app()->getStore()->isCurrentlySecure()) {
$url = $this->_getCurrentSecureUrl($request);

Mage::app()->getFrontController()->getResponse()
->setRedirect($url)
->sendResponse();
exit;
}
}

Testing the logical statement && !$request->isSecure(), traces us back through IsSecure, getScheme and getServer to get to the edit made.  Testing of the logic, seems to indicate that the output from isSecure would always lead to an incorrect result.

I am not (yet) however aware of the output of !Mage::app()->getStore()->isCurrentlySecure()) and why this was changed between 1.5 and 1.6. 

In addition I have explored all around the code in the function, isCurrentlySecure()—and this would seem to take into account the offload headers, however this never appears to be called in 1.6.

I dont like the fact that I have an edit in lib/zend, so do some testing with trying to call isCurrentlySecure, but I cant help but think they have removed the call for a reason - anyone know why this file has been changed ?

Regards,

Martin

 
Magento Community Magento Community
Magento Community
Magento Community
 
njwrigley
Jr. Member
 
Avatar
Total Posts:  2
Joined:  2010-05-19
 

Hi there Martin,

I’m on 1.6.2.0 and have been having the same issue.

In my case I have two domains using the same code base using vhost.conf and vhost_ssl.conf to do the redirects.

I have been searching for DAYS and your post is the only thing that comes remotely close, in that I get the SSL pages displaying, but the formatting is all missing!

I share your concerns about the alteration of core files and was wondering if you had had a chance to work on this some more, and found a permanent solution that you were happy with.

Thanks,

Nathan.

 
Magento Community Magento Community
Magento Community
Magento Community
 
pi3g
Jr. Member
 
Total Posts:  2
Joined:  2012-11-18
 

For me, no code modifications were necessary. The problem was in “http” not “https” being set as secure base URL - this would not work, obviously.

Read my post on my blog here for more infos:
Magento HTTPS Redirect loop when offloading SSL encryption. Solution.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top