Letting PHP know that its connection behind NGINX is over HTTPS

1 min read
Multithreaded JavaScript has been published with O'Reilly!

If you throw some SSL onto your NGINX hosted website (as you've likely noticed thomashunter.name is now doing), you may notice a few hard-to-diagnose issues. Many PHP scripts look for the presence of a certain server variable, namely, $_SERVER['HTTPS'], to determine if it is behind an SSL connection.

To fix this, you need to add the following line to your server block:

fastcgi_param HTTPS On;

Interestingly, it is quite hard to find documentation on this topic, and I have no idea why. I'm not sure if the HTTPS server variable is that common, but I do know that Apache always provides it, and many PHP scripts rely on it. Honestly, it isn't a bad idea to manually set this to Off if you know that your website isn't behind SSL, as I've seen some code do silly things.

Check out the following crazy logic some common PHP systems use for checking if the current site is secure, all of which rely on the presence of this parameter. Most importantly, notice how every single one of these common PHP systems do it differently:

Thomas Hunter II Avatar

Thomas has contributed to dozens of enterprise Node.js services and has worked for a company dedicated to securing Node.js. He has spoken at several conferences on Node.js and JavaScript and is an O'Reilly published author.