Thank you Hugo, for elaborate answer!
Of course not. X_FORWARDED_PROTOCOL is not a valid HTTP header. It should be X-Forwarded-Proto.
Does it mean that PHP's server variable is (should be) set based on X-Forwarde-Proto header?
And isn't it weird that Lighttpd shows 'https' while in fact the connection to Lighttpd was HTTP, specially because Lighttpd had no HTTPS bindings,
The problem here is that it is undefined / unspecified how a web server should handle those headers. Hiawatha looks for the HTTP_SCHEME variable to its own connection
So, based on this, it means that one should have traffic between proxy and Hiawatha encrypted as well in order to qualify as https?
The biggest problem here is that many proxies that sent a X-Forwarded-For don't sent a X-Forwarded-Proto. Yes, it's a mess.
That could be fixed by (proper) setup?
So, instead of relying on some crappy, incomplete shit sent by (reverse) proxies, I chose to let Hiawatha look at its own connection. And while X-Forwarded-For may contain multiple IP address, X-Forwarded-Proto only contains one value.
It makes sense.
So, what if a connection via 2 reverse proxies reaches my webserver and I see X-Forwarded-For with 2 IP addresses and no X-Forwarded-Proto or one with only a single value, than what?
Heh, that's interesting scenario.
To keep the way Hiawatha works consistent, I decided to ignore those headers.
Can we say this is example of 'defensive coding/programming' ?
In my opinion, what Lighttpd does is wrong or at least can cause some confusion due to inconsistency caused by crappy HTTP headers.
After your explanation, I tend to agree with you.
If you want to enforce HTTPS, do it at your reverse proxy. Redirections within the web application should only be done by using a relative path, not via a complete URL. If you did it all well, you'll never need the X-Forwarded-* stuff anyway.
Well, the 1st problem is that it's not my server - I'm only client using its services and do not like being forced to use Apache which eats my memory in order to serve PHP sites. Secondly, I want to use Hiawatha (instead of Lighttpd) server as back-end.
Now, few (more questions) with hopefully short answers:
- how to enforce HTTPS a reverse proxy?
- if reverse proxy would add/send X-Forwarded-Proto header, would it be sufficient for Hiawatha to set HTTP_SCHEME to 'https'?
- is it possible with present setup and using Lightttp to use SSL certificates by deploying SNI technology?
- would 2) above be enough to use SNI with Hiawatha (which I want to)?
Finally let me say, that I'd be more happy to use VPS and setup Hiawatha at the front-end and not fiddling with reverse proxies, but the main obstacle is the pain of maintaining one's own mail server and all the external services which I looked at are pricey
which are much above the cost if VPS itself.