WordPress.org

Ready to get started?Download WordPress

Forums

WordPress HTTPS (SSL)
[resolved] When Behind Amazon Web Services Elastic Load Balancer causes endless redirect (5 posts)

  1. CThompson.efc
    Member
    Posted 2 years ago #

    When Behind Amazon Web Services Elastic Load Balancer causes endless redirect.

    If you have the Force SSL check box checked then anyone who visits that page gets an endless redirect.

    This is because the aws ELB is set from port 443 to port 80 and wordpress https doesn't think its secure.

  2. CThompson.efc
    Member
    Posted 2 years ago #

    By the way this is for the wordpress https plugin.

    I am looking at the code on line 486

    function is_ssl() {
    			// Some extra checks for proxies and Shared SSL
    			if ( isset($_SERVER['HTTP_X_URL_SCHEME']) && isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && !is_ssl() && strpos($this->https_url, $_SERVER['HTTP_X_URL_SCHEME'] . '://' . $_SERVER['HTTP_X_FORWARDED_SERVER']) !== false ) {
    				return true;
    			} else if ( $this->shared_ssl && !is_ssl() && strpos($this->https_url, $_SERVER['HTTP_HOST']) !== false ) {
    				return true;
    			}
    			return is_ssl();

    What can I add to check for the X-Forwarded-Proto == https ?

    [Please post code snippets between backticks or use the code button.]

  3. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    Hey CThompson.efc,

    I would try adding this to the if/else block. Let me know if it works.

    if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' ) {
    	return true;
    }

    Thanks,
    Mike

  4. CThompson.efc
    Member
    Posted 2 years ago #

    That fixes it.

    In Human terms what exaclty does that do?

  5. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    The if statement we added does exactly what you'd think, it checks the HTTP_X_FORWARDED_PROTO header sent by Apache to see if it is equal to 'https'.

    WordPress HTTPS features an is_ssl() function which extends the regular functionality of WordPress' built-in is_ssl() function. There are a few cases when using Shared SSL and proxies that WordPress' is_ssl() function doesn't recognize, such as the case you pointed out, so it returns false.

    If the page is HTTP and 'Force SSL' is enabled for that page, the plugin will redirect the page to HTTPS.

    If the Force SSL Exclusively option is enabled and the page is hit as HTTPS and it does not have the Force SSL checkbox checked, it will redirect to HTTP.

    Problems arise when you try to hit the page on HTTPS, the plugin says that it's not HTTPS because the is_ssl() function returns false, so the plugin attempts to redirect the page to HTTPS over and over again, causing a redirect loop.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic