prevent endless redirect loop on nginx failure

webmails/roundcube/mailu.php

@@ -24,9 +24,15 @@ class mailu extends rcube_plugin
   function authenticate($args)
   {
     if (!array_key_exists('HTTP_X_REMOTE_USER', $_SERVER) or !array_key_exists('HTTP_X_REMOTE_USER_TOKEN', $_SERVER)) {
-        header('Location: sso.php');
+        if ($_SERVER['PHP_SELF'] == '/sso.php') {
+            header('HTTP/1.0 403 Forbidden');
+            print('mailu sso failure');
+        } else {
+            header('Location: sso.php');
+        }
         exit();
     }
+
     $args['user'] = $_SERVER['HTTP_X_REMOTE_USER'];
     $args['pass'] = $_SERVER['HTTP_X_REMOTE_USER_TOKEN'];
 
@@ -36,13 +42,13 @@ class mailu extends rcube_plugin
     return $args;
   }
 
-  function logout($args) {
+  // Redirect to global SSO logout path.
-    // Redirect to global SSO logout path.
+  function logout($args)
+  {
     $this->load_config();
-
     $sso_logout_url = rcmail::get_instance()->config->get('sso_logout_url');
-    header("Location: " . $sso_logout_url, true);
+    header('Location: ' . $sso_logout_url, true);
-    exit;
+    exit();
   }
 
   function login($args)
@@ -50,15 +56,16 @@ class mailu extends rcube_plugin
       header('Location: index.php');
       exit();
   }
+
   function login_failed($args)
   {
       $ua = $_SERVER['HTTP_USER_AGENT'];
       $ra = $_SERVER['REMOTE_ADDR'];
       if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
-        echo "OK";
+        print('OK');
-        exit;
+      } else {
+        header('Location: sso.php');
       }
-      header('Location: sso.php');
       exit();
   }