Running TYPO3 CMS behind HTTPS proxy

We often host and develop websites for our customers where the website requires SSL, and alsp Varnish or another reverse-proxy. But since Varnish does not handle SSL, we do the SSL-thingie before the requests hits varnish, and then communicate with the backend TYPO3 server using regular http (ie. not https). 

Luckily TYPO3 CMS is already prepared for this scenario and has install tool settings for this.

You need to tell TYPO3 that is runs behind a reverse proxy by setting the two values:

$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'last';

This is done using the install tool, and really has nothing to do with SSL. This will simply instruct TYPO3 to translate your proxy IP to the end-clients which should be stored in the http header X-FORWARDED-FOR (most reverse proxies respect this).

Notice that the request might have traversed several proxies, and each proxy will/should prepend to this list, so we generally want the last in this list.

Now if you also want to run SSL on you site, you would typically do the SSL decryption before hitting the reverse proxy. But this means that the end TYPO3 webserver will not be able to detect that the site was really access using SSL. 

TYPO3 is prepared for this, and has an option to specify that the site is https-always even though the site is requests via http from proxy -> webserver.  So by setting

$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL'] = '*';

you instruct TYPO3 that all requests done from the proxies (defined above with reverseProxyIP), should be consired https. 

Unfortunally there is a bug in recent TYPO3 versions, which has a pending review here: