Merge pull request #744 from vichan-devel/RealAngeleno-httpsonly

modify how https only works, disabling by default and allowing cloudflare.

inc/config.php

@@ -194,9 +194,8 @@
 	// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
 	$config['cookies']['httponly'] = true;
 
-	// Do not allow logins via unencrypted HTTP. Should only be changed in testing environments or if you connect to a
-	// load-balancer without encryption.
-	$config['cookies']['secure_login_only'] = true;
+	// Do not allow logins via unencrypted HTTP. If your website uses HTTPS, turn this on.
+	$config['cookies']['secure_login_only'] = false;
 
 	// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
 	$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';

inc/functions/net.php

@@ -6,5 +6,13 @@ namespace Vichan\Functions\Net;
  * @return bool Returns if the client-server connection is an encrypted one (HTTPS).
  */
 function is_connection_secure(): bool {
-	return !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
+    if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+        return true;
+    }
+    elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
+        return true;
+    }
+    else {
+	return false;
+    }
 }

install.php

@@ -5,11 +5,6 @@ define('VERSION', '5.2.0');
 require 'inc/bootstrap.php';
 loadConfig();
 
-if (!is_writable('inc/secrets.php') || !is_writable('inc/')) {
-	echo 'install.php does not have permission to write to /inc/secrets.php and/or /inc/, without permission the installer cannot continue';
-	exit();
-}
-
 // Salt generators
 class SaltGen {
 	public $salt_length = 128;