In all versions of Moodle, lib/weblib.php includes a snippet like this:



    if (isset($_SERVER['HTTPS'])) {

        $protocol = ($_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://';

    } else if (isset($_SERVER['SERVER_PORT'])) { # Apache2 does not export $_SERVER['HTTPS']

        $protocol = ($_SERVER['SERVER_PORT'] == '443') ? 'https://' : 'http://';

    } else {

        $protocol = 'http://';

    }



This doesn't work behind an SSL accelerator (an appliance that converts https: to http:). A better approach:



    if (isset($_SERVER['HTTPS'])) {

        $protocol = 'https://';

    } else if (strncmp($CFG->wwwroot, 'https', 5) == 0) {

        $protocol = 'https://';

    } else {

        $protocol = 'http://';

    }



Also, there are lots of snippets like str_replace('http','https', ...) that break if the host name accidentally includes 'http'. They must be str_replace('http:', 'https:', ...) at the least.



A still better approach would be to use relative URL! And the default protocol must always be derived from the $CFG->wwwroot, not from $_SERVER['HTTPS'] or the port number.