PHP - 将 HTTPS 重定向到 HTTP - 无限循环

发布于 2024-12-09 03:03:47 字数 776 浏览 1 评论 0原文

我试图阻止通过 HTTPS 访问我网站上的某些页面，并且（无论出于何种原因）我想通过 PHP 而不是通过 .htaccess 来完成此操作。

这是我正在使用的代码：

if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com");
}

但由于某种奇怪的原因，我陷入了无限循环，无法让它工作。当我检查 Firebug 中的响应标头时，我发现 location 标头设置为 https://mydomain.com 而不是 http://mydomain。 com，这导致了无限循环。

编辑：直接访问http://mydomain.com确实有效。

另请注意：如果我将它们发送到不同的页面，则此方法有效，但如果我将它们发送到同一页面，则此方法无效。因此，如果我在 mydomain.com/somePage.php 中运行上述代码，然后尝试通过 https://mydomain.com/somePage.php 访问它，它'将正确重定向到（非 SSL）主页。只有当我将它们重定向到具有不同协议的同一页面时，它才会忽略该协议。

我做错了什么？

原文

I'm trying to prevent certain pages on my site from being accessed through HTTPS, and (for whatever reason) I want to do it through PHP and not through a .htaccess.

Here's the code I'm using:

if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com");
}

But for some odd reason, I'm stuck in an infinite loop, and can't get it to work. When I check the response headers in firebug, I see that the location header is set to https://mydomain.com instead of http://mydomain.com, which is causing the infinite loop.

EDIT: Accessing http://mydomain.com directly does work.

Also note: this works if I send'em to a different page, but not if I send them to the same page. So if I run the above code in mydomain.com/somePage.php, and then try accessing it through https://mydomain.com/somePage.php, it'll properly redirect to (non-SSL-ed) homepage. Only when I redirect them to the same page with a different protocol does it ignore the protocol.

What am I doing wrong?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

捎一片雪花 2024-12-16 03:03:47

事实证明我的代码没有任何问题。服务器的设置方式只是扰乱了我的标题。我正在使用 engineHosting.com，我不得不说：他们非常有帮助。经过大量的回访后，与他们一起，这是他们发给我的内容：

我们能够深入了解这个问题，并可能解决这个问题（原文如此），但修复本身会导致其他问题。让我解释一下。
我们的架构并非大多数网络主机的典型架构。您的帐户实际上由双防火墙、双入侵防御系统、双负载均衡器（还执行基于 SSL 硬件的加速的角色）、前端两个 apache Web 节点和一个庞大的 mysql 服务器后端托管。
问题在于我们如何在负载均衡器内进行 SSL 加速。我们有许多客户想要检测用户何时访问仅用于 https 的页面，但与想要检测用户何时访问应重定向到常规 http 的页面相反。因此，我们在负载均衡器上启用了一个名为“仅限 HTTP WAN 优化压缩 SSL 站点”的选项，当请求 URL 已启用 https 时，该选项也会将出站位置标头重写为 https。当您在动态提供的同一 URL 上可能有很多指向资产的链接但不小心将链接写为 http 时，这非常有用。所以这实际上是一个功能，而不是一个错误（是的，我也不喜欢这个短语）。
为了解决您的特定用例，我们将您域的 SSL 配置文件更改为“普通/非 ssl 的 http 压缩”虚拟服务器设置。您过去使用单服务器 Web 解决方案可能不会遇到此问题。在此模式下操作的不幸后果是，在服务器级别执行 30 次重定向以将用户从 http 重定向到 https 的其他用例可能会出现问题，具体取决于重定向的实现方式。为了安全起见，您应该验证将在实际网站中使用的方法，如果遇到任何问题请告诉我。

It turns out there was nothing wrong with my code. The server was just setup in a way that was messing with my headers. I'm using engineHosting.com, and I have to say: they were very helpful. After a lot of back & forth with them, here's what they sent me:

We were able to get to the bottom of this and may have it (sic) fixed the issue but the fix in and of itself my cause other issues. Let me explain.
Our architecture is not typical of most web hosts. Your account is actually hosted by twin firewalls, twin intrusion prevention systems, twin load balancers also performing the role of SSL hardware-based acceleration, fronting two apache web nodes, and a massive mysql server backend.
The problem was with how we were doing the SSL acceleration inside the load balancers. We have had a number of clients that wanted to detect when a user was accessing a page that was only meant to be used with https, but never the reverse of wanting to detect when a user was on a page that should be redirected to regular http. Because of this, we had an option enabled on our load balancers called "http wan optimized compression SSL Sites Only" which also rewrites an outbound location header to be https when the requesting url was already https enabled. This is useful when you may have a lot of links to assets on the same URL served dynamically but accidentally wrote the link as http. So this is actually a feature, not a bug (and yes I too dislike that phrase).
To work around your particular use case, we changed the SSL profile for your domain to be "http compression for normal/non-ssl" virtual server setups. You have likely not run into this issue using single server web solutions in the past. The unfortunate consequence of operating in this mode is that the other use case of doing 30x redirects at the server level for redirecting users from http to https may have issues depending on how the redirects are implemented. To be safe, you should validate the methods you will be using in your live site and let me know if you run into any problems.

回复收藏 0 原文

戒ㄋ 2024-12-16 03:03:47

不完全确定，但我注意到以下几点：

如果您的 .htaccess 或服务器配置设置为坚持使用 HTTPS，您将无法在 php 级别解决该问题。
您省略了 http://mydomain.com 上的尾部斜杠，这会创建隐式重定向。尝试使用该位置的完整实际路径 - http://mydomain.com/index.html或 http://mydomain.com/index.php 例如。

回复收藏 0 原文

南城追梦 2024-12-16 03:03:47

我有一个运行 HTTPS 站点的自托管服务器。我做了一些快速测试，您的代码完全按照预期工作。这是我的代码（逐字记录，仅更改了域）：

redir.php

<?php
if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com/redir.php");
    exit;
}

if ( !isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS'])
{
   echo "IT'S WORKING!";
}

?>

我肯定会说 - 正如 Jared Farrish 在他的聊天中所说 - 这是主机的问题。他们的服务器配置中的某些内容强制重定向回 HTTPS。我不认为这是 PHP 的错误。我的服务器正在运行 PHP 5.3.5 和 Apache 2.2.17。

I have a self-hosted server running an HTTPS site. I did a few quick tests, and your code works exactly as expected. Here's my code (verbatim, with only the domain changed):

redir.php

<?php
if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com/redir.php");
    exit;
}

if ( !isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS'])
{
   echo "IT'S WORKING!";
}

?>

I would definitely say - as Jared Farrish said in his chat - that it's an issue with the host. Something in their server configuration is forcing the redirect back to HTTPS. I don't think it's a PHP bug. My server is running PHP 5.3.5 with Apache 2.2.17.

回复收藏 0 原文

~没有更多了~