How can $_SERVER['HTTPS'] be empty when accessing over HTTPS?

Question

I am having a problem with $_SERVER['HTTPS'] being empty when I am actually accessing a page over https.

According to the docs for $_SERVER, this should be non-empty when accessing a page over HTTPS.

Accoding the docs for mod_ssl

This module provides a lot of SSL information as additional environment variables to the SSI and CGI namespace.

Does this mean that I need to explicitly

SetEnv HTTPS on

in Apache if PHP is running as mod_php to get $_SERVER['HTTPS'] set?

I am trying to figure out if something is wrong in my system or if I am seeing normal behavior.

Answer 1

I believe that SetEnv will not work with PHP module; are you using mod_userdir by any chance? This may have an impact.

Alternatively, you could use this kind of detection:

if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'
    || $_SERVER['SERVER_PORT'] == 443) {

    $secure_connection = true;
}

Btw, this might also happen if you site is load balanced and the balancer runs on regular HTTP connections internally.

Update

I'm not sure whether mod_userdir always has this effect, even if it's not in use.

As for the example, instead of assigning a value to $secure_connection you could (make sure no one is looking) write it into $_SERVER['HTTPS'] itself :)

Answer 2

to properly use SetEnv in your .htaccess you need the mod_env module, like:

<IfModule mod_env.c>
   SetEnv HTTPS on
</IfModule>

otherwise, the $_SERVER["HTTPS"] will be empty..

Answer 3

Are you using Apache 2.x or 1.x? I found a comment on the PHP docs for $_SERVER which says that it will not be set with Apache 1.