Letting PHP know that its connection behind NGINX is over HTTPS

If you throw some SSL onto your NGINX hosted website (as you've likely noticed thomashunter.name is now doing), you may notice a few hard-to-diagnose issues. Many PHP scripts look for the presence of a certain server variable, namely, $_SERVER['HTTPS'], to determine if it is behind an SSL connection.

To fix this, you need to add the following line to your server block:

fastcgi_param HTTPS On;

Interestingly, it is quite hard to find documentation on this topic, and I have no idea why. I'm not sure if the HTTPS server variable is that common, but I do know that Apache always provides it, and many PHP scripts rely on it. Honestly, it isn't a bad idea to manually set this to Off if you know that your website isn't behind SSL, as I've seen some code do silly things.

Check out the following crazy logic some common PHP systems use for checking if the current site is secure, all of which rely on the presence of this parameter. Most importantly, notice how every single one of these common PHP systems do it differently:

Thomas Hunter II Avatar

Thomas is the author of Advanced Microservices and is a prolific public speaker with a passion for reducing complex problems into simple language and diagrams. His career includes working at Fortune 50's in the Midwest, co-founding a successful startup, and everything in between.