Add configuration and init checks for SSL proxies (bug #829674)

Currently use of a proxy such as nginx to force https usage results
in a bit of loopiness. This patch adds the sslproxy setting and when
this is set, mandates that the wwwroot be a https address.

Change-Id: Ic4cfe048202cea60098e60e57adb99a0cb594619
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

htdocs/config-dist.php

@@ -61,6 +61,11 @@ $cfg->dbprefix = '';
 // $cfg->wwwroot to use HTTPS.
 //$cfg->wwwroot = 'https://myhost.com/mahara/';
 
+// If you are using a proxy to force HTTPS connections, you will need to
+// enable the next line. If you have set this to true, ensure your wwwroot
+// is a HTTPS address.
+//$cfg->sslproxy = true;
+
 // dataroot - uploaded files are stored here
 // This is a ABSOLUTE FILESYSTEM PATH. This is NOT a URL.
 // For example, valid paths are:

htdocs/init.php

@@ -210,8 +210,14 @@ if (isset($CFG->wwwroot)) {
         $CFG->wwwroot .= '/';
     }
 }
+
+// If we're forcing an ssl proxy, make sure the wwwroot is correct
+if ($CFG->sslproxy == true && parse_url($CFG->wwwroot, PHP_URL_SCHEME) !== 'https') {
+    throw new ConfigSanityException(get_string('wwwrootnothttps', 'error', get_config('wwwroot')));
+}
+
 // Make sure that we are using ssl if wwwroot expects us to do so
-if (isset($_SERVER['REMOTE_ADDR']) && (!isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off') &&
+if ($CFG->sslproxy === false && isset($_SERVER['REMOTE_ADDR']) && (!isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off') &&
     parse_url($CFG->wwwroot, PHP_URL_SCHEME) === 'https'){
     redirect(get_relative_script_path());
 }

htdocs/lang/en.utf8/error.php

@@ -56,6 +56,9 @@ $string['apcstatoff'] = 'Your server appears to be running APC with apc.stat=0.
 If you are on shared hosting, it is likely that there is little you can do to get apc.stat turned on, other than ask your hosting provider. Perhaps you could consider moving to a different host.';
 $string['datarootinsidedocroot'] = 'You have set up your data root to be inside your document root. This is a large security problem, as then anyone can directly request session data (in order to hijack other peoples\' sessions), or files that they are not allowed to access that other people have uploaded. Please configure the data root to be outside of the document root.';
 $string['datarootnotwritable'] = 'Your defined data root directory, %s, is not writable. This means that neither session data, user files nor anything else that needs to be uploaded can be saved on your server. Please make the directory if it does not exist, or give ownership of the directory to the web server user if it does.';
+$string['wwwrootnothttps'] = 'Your defined wwwroot, %s, is not HTTPS. However other settings (such as sslproxy) for your installation require that your wwwroot is a HTTPS address.
+
+Please update your wwwroot setting to be a HTTPS address, or fix the incorrect setting.';
 $string['couldnotmakedatadirectories'] = 'For some reason some of the core data directories could not be created. This should not happen, as Mahara previously detected that the dataroot directory was writable. Please check the permissions on the dataroot directory.';
 
 $string['dbconnfailed'] = 'Mahara could not connect to the application database.