Support » Fixing WordPress » mTLS and WordPress

  • The WordPress documentation covers the following scenarios:

    1. Using a Reverse Proxy
    2. HTTPS for WordPress

    The scenario that doesn’t appear to be covered is where WordPress is behind a reverse proxy, but then retrospectively, the path between the WordPress web server and the reverse proxy is encrypted using mTLS.

    I’ve had no success getting this working. You can see my attempts in this Caddy forum post onwards. What I’m seeing is that WordPress responds to the mTLS server, but being one step removed from the reverse proxy, can’t find its way back there.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    I dont use Caddy, but have you tried to directly enable variable

    
    $_SERVER['HTTPS'] = 'on';

    in wp-config.php

    You can insert this line on the next line after opening <?php tag

    Thread Starter Basil Hendroff

    (@basilh)

    @fierevere Thanks for responding. A bit of background first.

    1. WordPress + PHP web server, Reverse Proxy – OK
    2. Static file server, mTLS server, Reverse Proxy – OK
    3. WordPress + PHP web server, mTLS server, Reverse Proxy – Not OK

    The points above summarise what was tested in the Caddy forum link referred to in the OP. I’ll briefly go through each of the points above so that, by a process of elimination, we can focus on WordPress and not be overly concerned with the Caddy component, which is providing reverse proxy and mTLS services.

    WordPress + PHP web server, Reverse Proxy

    I’ve had this arrangement working for years. What this tells us is that the PHP web server and reverse proxy server are working. For WordPress and WP-CLI to work in this arrangement, after the opening <?php tag in wp-config.php, I have added the code:

    
    if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' === $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
       $_SERVER['HTTPS']='on';
    }
    

    Reference: PHP notice: Undefined index on $_SERVER superglobal

    Note that this is not the same as the code specified in the WordPress guide Using a Reverse Proxy. That guide suggests the following code:

    
    if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
    $_SERVER['HTTPS']='on';
    

    This doesn’t work for me as it generates an HTTP 500 error.

    Static file server, mTLS server, Reverse Proxy

    In this working arrangement, I have a basic static file server behind an mTLS server and the reverse proxy server from the previous point. The reverse proxy provides automatic HTTPS, and mTLS ensures the backend path between the file server and reverse proxy is encrypted. What this arrangement tells me is that the mTLS server is configured correctly and communicating with both the file server and reverse proxy.

    WordPress + PHP web server, mTLS server, Reverse Proxy

    In this arrangement, I swap out the file server from the previous point and replace it with the working WordPress + PHP web server from the first point. From the previous two points, I can say with a high degree of confidence that all the building blocks i.e. PHP web server, mTLS server and reverse proxy, are working properly.

    The question then becomes ‘What needs to be added to wp-config.php for WordPress to work in this arrangement?’

    I leave in the added code from point 1:

    
    if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' === $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
       $_SERVER['HTTPS']='on';
    }
    

    As indicated in the OP (and detailed in the Caddy forum thread linked in the OP), WordPress responds to the mTLS server, but being one step removed from the reverse proxy, can’t find its way back there.

    So, I take out the added code from point 1 and replace it with the suggested code:

    
    $_SERVER['HTTPS'] = 'on';
    

    This time I get an HTTP 500 error.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.