11

We have a site running on CloudFlare Pro that uses their supplied certificate for one-click encryption. Our site has "optional" SSL for users. As it's a forum, we currently run a proxy script that detects if a posted image is not using a HTTPS protocol and automatically proxies the image through a script running on our server to maintain security and our lovely green lock!

My only issue now is that this introduces unnecessary load on our servers when users aren't using HTTPS so we would like to be able to detect if they are or are not. However, as the CloudFlare server is actually connecting to ours no matter what over HTTP (because we are using one-click SSL on CloudFlare) our PHP script always reports HTTP and never proxies the images even when the user is using HTTPS. Is there a way to get CloudFlare to report the user is using SSL?

jduncanator
  • 2,154
  • 1
  • 22
  • 39

1 Answers1

23

Found my answer, they send a header X-FORWARDED-PROTO. It's https for SSL and http for normal!

jduncanator
  • 2,154
  • 1
  • 22
  • 39
  • Glad you answered before it was closed. Running into a similar issue. – reflexiv Aug 08 '13 at 02:42
  • 3
    Trusting that header in CF connections seems not a good idea, according to the faqs CF will not drop the original header sent in the request, this could be a security hole, you should check the Cf-Visitor header instead. That header contains a JSON object indicating the scheme – lordscales91 Mar 26 '16 at 10:49
  • If all you're doing is deciding whether to redirect to https if the end-user is browsing over insecure http, you don't need to trust the header. If a "malicious" user overrides the original proto as https all she benefits is getting to downgrade her security. If all you're doing is this I'd argue using X-forwarded-proto is better because it's a de-facto standard that works with pretty much all proxies, while Cf-Visitor is proprietary. I upvoted you though, since you have a good point about trust. – joonas.fi Feb 04 '17 at 16:26