Wordpress behind Nginx reverse proxy with SSL in proxy
Posted 12-13-2020 at 02:33 PM by jdrosales
Updated 04-17-2021 at 02:12 PM by jdrosales (Reformat paragraph with code)
Updated 04-17-2021 at 02:12 PM by jdrosales (Reformat paragraph with code)
I installed Wordpress (the CMS) behind a Nginx reverse proxy that forwards to an internal container where the CMS resides. I must add, before going on, that I did install that CMS for the particular requirement of one of my clients and that I did not have any prior knowledge about the CMS itself, other than it existed out there; additionally, I installed it on a container because such systems are pretty easy to hack and I did not want to jeopardize the security of my server.
The SSL cert was installed in the proxy, to ease as much as possible the load on the container, given the weight of that particular CMS.
The first of two problems I faced was the blocking by my browser of all .css, .js, and images, due to a 'mixed content' considerations by the browser, because I was accessing the proxy thru a 'https' connection but the CMS was constructing its links with 'http', the way I set it up in the proxy. (Config file below)
The second problem was when I updated the CMS to their latest version. In that occasion I got stuck in a 'redirection' problem, no way ahead, and no way back. [sigh]
Both problems have the same origin, and both problems were resolved in the same manner, that I elaborate here.
The code below reflects the config file on the proxy, /etc/nginx/sites-available/name_of_domain:
As can be seen, I accept 'https' only connections to the proxy, but I forward a 'http' connection to the container; I consider redundant and a waste of resources do it any other way.
I looked up on the net for a solution to this problem, without success. So I had to dig into the code. Took me a while, but I found it.
The problem resides in the file /wp-includes/load.php. The function is_ssl() in that file reads as follow:
As a system administrator and webmaster, I can't help to notice the lack of vision and understanding by those in charge of programming this thing; I suppose that been a programmer is hard enough. Oh well.
Let's go with the solution. I added just one elseif statement to that function to fix the problem. Below is the function with the added statement:
That, my friends, solved the problem. The CMS now constructs its external call to other files using 'https'.
I posted pretty much the same as here in one of their forums, but the thread was deleted. They said I was tooting my own horn, or promoting myself. As if. In any case, I don't know if they will fix this function in future releases or not, but in case the don't I hope this fix will help someone else.
Cheers!
The SSL cert was installed in the proxy, to ease as much as possible the load on the container, given the weight of that particular CMS.
The first of two problems I faced was the blocking by my browser of all .css, .js, and images, due to a 'mixed content' considerations by the browser, because I was accessing the proxy thru a 'https' connection but the CMS was constructing its links with 'http', the way I set it up in the proxy. (Config file below)
The second problem was when I updated the CMS to their latest version. In that occasion I got stuck in a 'redirection' problem, no way ahead, and no way back. [sigh]
Both problems have the same origin, and both problems were resolved in the same manner, that I elaborate here.
The code below reflects the config file on the proxy, /etc/nginx/sites-available/name_of_domain:
Code:
----fragment of config file-------------
if ($ssl_protocol = "") {
rewrite ^/(.*) https://$server_name/$1 permanent;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://xx.xx.xx.xx/; <- Internal address of the container.
limit_req zone=mylimit; <- I use limits to deter attacks.
}
------end of fragment of config file-----------------
I looked up on the net for a solution to this problem, without success. So I had to dig into the code. Took me a while, but I found it.
The problem resides in the file /wp-includes/load.php. The function is_ssl() in that file reads as follow:
Code:
-------------- function is_ssl() in /wp-includes/load.php-----------------
function is_ssl() {
if ( isset( $_SERVER['HTTPS'] ) ) {
if ( 'on' === strtolower( $_SERVER['HTTPS'] ) ) {
return true;
}
if ( '1' == $_SERVER['HTTPS'] ) {
return true;
}
} elseif ( isset( $_SERVER['SERVER_PORT'] ) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
return true;
}
return false;
}
-------------end function is_ssl()---------------------------
Let's go with the solution. I added just one elseif statement to that function to fix the problem. Below is the function with the added statement:
Code:
------------------ modified is_ssl() function in /wp-includes/load.php---------------
/**
* Determines if SSL is used.
*
* @since 2.6.0
* @since 4.6.0 Moved from functions.php to load.php.
*
* @return bool True if SSL, otherwise false.
*/
function is_ssl() {
if ( isset( $_SERVER['HTTPS'] ) ) {
if ( 'on' === strtolower( $_SERVER['HTTPS'] ) ) {
return true;
}
if ( '1' == $_SERVER['HTTPS'] ) {
return true;
}
} elseif ( isset( $_SERVER['SERVER_PORT'] ) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
return true;
} elseif ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && ( 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO'] ) ) {
return true;
}
return false;
}
------------end modified is_ssl() function-------------------------
I posted pretty much the same as here in one of their forums, but the thread was deleted. They said I was tooting my own horn, or promoting myself. As if. In any case, I don't know if they will fix this function in future releases or not, but in case the don't I hope this fix will help someone else.
Cheers!
Total Comments 0
