PHP - 将 HTTPS 重定向到 HTTP - 无限循环

Question

我试图阻止通过 HTTPS 访问我网站上的某些页面，并且(无论出于何种原因)我想通过 PHP 而不是通过 .htaccess 来访问。

这是我正在使用的代码:

if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com");
}

但出于某种奇怪的原因，我陷入了无限循环，无法让它工作。当我检查 firebug 中的响应 header 时，我看到 location header 设置为 https://mydomain.com而不是 http://mydomain.com ，这导致了无限循环。

编辑:访问 http://mydomain.com直接起作用。

另请注意:如果我将它们发送到不同的页面，这有效，但如果我将它们发送到同一页面，则无效。因此，如果我在 mydomain.com/somePage.php 中运行上述代码，然后尝试通过 https://mydomain.com/somePage.php访问，它将正确重定向到(非 SSL 版)主页。只有当我将它们重定向到具有不同协议(protocol)的同一页面时，它才会忽略该协议(protocol)。

我究竟做错了什么？

Answer 1

事实证明我的代码没有任何问题。服务器只是以一种弄乱我的标题的方式设置的。我正在使用 engineHosting.com ，我不得不说:他们非常有帮助。在与他们多次来回之后，这是他们发给我的:

We were able to get to the bottom of this and may have it (sic) fixed the issue but the fix in and of itself my cause other issues. Let me explain.

Our architecture is not typical of most web hosts. Your account is actually hosted by twin firewalls, twin intrusion prevention systems, twin load balancers also performing the role of SSL hardware-based acceleration, fronting two apache web nodes, and a massive mysql server backend.

The problem was with how we were doing the SSL acceleration inside the load balancers. We have had a number of clients that wanted to detect when a user was accessing a page that was only meant to be used with https, but never the reverse of wanting to detect when a user was on a page that should be redirected to regular http. Because of this, we had an option enabled on our load balancers called "http wan optimized compression SSL Sites Only" which also rewrites an outbound location header to be https when the requesting url was already https enabled. This is useful when you may have a lot of links to assets on the same URL served dynamically but accidentally wrote the link as http. So this is actually a feature, not a bug (and yes I too dislike that phrase).

To work around your particular use case, we changed the SSL profile for your domain to be "http compression for normal/non-ssl" virtual server setups. You have likely not run into this issue using single server web solutions in the past. The unfortunate consequence of operating in this mode is that the other use case of doing 30x redirects at the server level for redirecting users from http to https may have issues depending on how the redirects are implemented. To be safe, you should validate the methods you will be using in your live site and let me know if you run into any problems.