WordPress.org

Forums

WordPress HTTPS (SSL)
securing admin login only (30 posts)

  1. onerock
    Member
    Posted 2 years ago #

    I am having difficulty with setting up https for admin logins.

    I am using Cloudflare (free account) so I am forced to create a subdomain to anything https.

    My site is http://mydomain.com
    My secure subdomain is https://secure.mydomain.com

    How do I redirect any request for http://mydomain.com/wp-login.php --> https://secure.mydomain.com/wp-login.php. Then once logged in back to standard http://mydomain.com/wp-admin/

    Thanks in advance for any assistance that can be offered to the newbie. :-)
    Scott

    http://wordpress.org/extend/plugins/wordpress-https/

  2. onerock
    Member
    Posted 2 years ago #

    Disregard, I have resolved my issue. I missed the fact that I needed to put secure.mydomain.com in the SSL Host box and check the Force SSL Administration box. All of my admin pages are secure, but it hasn't slowed anything down, so I am good with this.

    Thanks for a great plugin.

  3. onerock
    Member
    Posted 2 years ago #

    After running this for a week, I am running into a few usability related issues. I am now attempting to only secure the WordPress Logins. I have found a few options to do this, but none seem to work for me. I believe that this is because I am using a sub domain for the HTTPS.

    From http://www.thatsgeeky.com/2012/01/wordpress-ssl-login-page-without-ssl-admin/

    I have attempted to edit wp-login.php:

    Change line 565 for WP 3.4.2 of wp-login.php:
    From: $secure_cookie = '';
    To: $secure_cookie = false;

    Explictly request admin_url() to return the non SSL url by changing line 588 for WP 3.4.1 of wp-login.php:
    From: $redirect_to = admin_url();
    To: $redirect_to = admin_url('','http');

    Can you please offer some assistance with making only the logins secure.

    Thanks in advance Scott

  4. Mike Ems
    Member
    Plugin Author

    Posted 2 years ago #

    Is there any reason you aren't securing the entire admin panel?

  5. onerock
    Member
    Posted 2 years ago #

    The main reason is that I cannot browse the website while logged in. This is causing hassles with things that I do as logged in and not logged in.

  6. Mike Ems
    Member
    Plugin Author

    Posted 2 years ago #

    Why can't you browse the site while logged in?

  7. onerock
    Member
    Posted 2 years ago #

    If I click the visit site button on the admin bar, I am redirected to http://MyDomain.com, not logged in. If I type in the address bar of an internet browser, https://Secure.MyDomain.com, I redirected to http://MyDomain.com, not logged in.

  8. Mike Ems
    Member
    Plugin Author

    Posted 2 years ago #

    If you're using a subdomain, you should be logged into both using a domain-wide cookie. Enable debug mode and check your browsers console for the debug output. Look for a line that says "Subdomain: Yes/No". If it says no, try re-saving the WordPress HTTPS settings and see if it changes. If it says Yes, there's a bug of some kind.

  9. onerock
    Member
    Posted 2 years ago #

    Thanks so much for your help.

    I have verified that the following through debug, see below. After re-saving the info in the plugin, I am still not able to browse my site while logged in.

    [BEGIN WordPress HTTPS Debug Log]
    /wp-admin/ (line 629)
    Version: 3.2.3
    /wp-admin/ (line 630)
    HTTP URL: http://MyDomain.com/
    /wp-admin/ (line 631)
    HTTPS URL: https://secure.MyDomain.com/
    /wp-admin/ (line 632)
    SSL: Yes
    /wp-admin/ (line 633)
    Diff Host: Yes
    /wp-admin/ (line 634)
    Subdomain: No
    /wp-admin/ (line 635)
    Proxy: No

  10. pjv
    Member
    Posted 2 years ago #

    i'm seeing the same issue with version 3.3.0, trying to do the same thing. i have a non-multisite install of wordpress and i need to run the admin on a secure subdomain.

    when i activate and set up the plugin with the secure subdomain specified and both SSL admin and exclusive SSL options checked, much works as expected. when i go to the login page and the admin panel, it all redirects to the secure subdomain (secure.wr-test.local). when i click the "visit site" link, i get re-directed to the non-secure main domain (wr-test.local).

    [and btw, i was having trouble with the preview button sending me to a 404 as mentioned in several other threads and i was able to fix that issue by putting "preview=true" into the URL filters box]

    here is what doesn't work as expected:

    after logging in and then clicking on the "visit site" link, while browsing the site on the main non-secure domain, there is no admin bar at the top (i.e. i am not logged in on the non-secure host).

    i am using nginx to serve this site. i have two virtual hosts set up: wr-test.local is listening on port 80 and secure.wr-test.local is listening on port 443

    here is the debug log (subdomain remains "No" after re-saving HTTPS settings):

    [BEGIN WordPress HTTPS Debug Log]
    Version: 3.3.0
    HTTP URL: http://wr-test.local/
    HTTPS URL: https://secure.wr-test.local/
    SSL: Yes
    Diff Host: Yes
    Subdomain: No
    Proxy: No
  11. pjv
    Member
    Posted 2 years ago #

    continuing to work through this issue, i have one new update. in trying to determine why the plugin was not seeing secure.wr-test.local as a subdomain of wr-test.local, i dug down until i found the function isValid() inside of Url.php. when i read through the code in there, i realized that it was returning false because i am running all this on a test server and i had neglected to include the hostname secure.wr-test.local in the hosts file on the test machine, and it obviously does not resolve by dns.

    as an aside, it seems a little strange to me to verify a subdomain by doing a curl on it. wouldn't it make more sense to decide that secure.wr-test.local is a subdomain of wr-test.local purely on a string comparison basis?

    anyway, now that i added that host to the hosts file, re-saved the settings in HTTPS admin, and cleared all the cookies and then re-logged in, the debug log now looks like this:

    [BEGIN WordPress HTTPS Debug Log]
    Version: 3.3.0
    HTTP URL: http://wr-test.local/
    HTTPS URL: https://secure.wr-test.local/
    SSL: Yes
    Diff Host: Yes
    Subdomain: Yes
    Proxy: No

    but i still have the same issue. the cookie being set is not for the whole domain, but only for the secure.wr-test.local host. i still am not logged in on the insecure site front end, and i can also see in safari that there are only cookies stored for the secure.wr-test.local host and none for wr-test.local.

    i am highly motivated to get this working and would be happy to test and report.

  12. pjv
    Member
    Posted 2 years ago #

    ignore the post just above. i re-started nginx and php5-fpm on the server and quit and re-started the browser and now everything is working fine. so the original problem does seem to have been the isValid() function returning false because i had forgotten to enter the hostname for the secure host into the test server's host file. i hope that helps someone else.

  13. onerock
    Member
    Posted 2 years ago #

    I am on a production CentOS 6 server with Apache, but I am wondering if restarting services will fix it like it did for you.

  14. pjv
    Member
    Posted 2 years ago #

    i think it was the combination of getting the hosts file right and then restarting that fixed the problem i was seeing. i don't think it was just the restart because i had done a lot of tweaking and restarting with no effect until i got the hostname issue sorted.

    i'd still suggest to mike that he re-think validating the subdomain URL by connecting to it with curl as part of determining whether it is in fact a subdomain. so many ways that could go wrong in terms of connectivity at the time of the check, whether the user has curl installed or not, etc. it seems to me to make more sense to determine if a URL is a valid subdomain of another URL on a purely lexical basis.

    that said, this is a GREAT plugin, so thanks mike for putting it out there.

  15. onerock
    Member
    Posted 2 years ago #

    You are right, it didn't help out my situation. My debug logs always shows as Subdomain: no.

  16. pjv
    Member
    Posted 2 years ago #

    does your centOS box have curl installed?

    can you run something like this from the command line on the server and get a valid http response?:

    curl secure.mydomain.com

  17. onerock
    Member
    Posted 2 years ago #

    Thanks for your assistance with this. Yes, I can use the curl command
    curl secure.mydomain.com. It brings up the text of my home page.

  18. pjv
    Member
    Posted 2 years ago #

    sorry then. whatever is causing your Subdomain: no must be a different problem than what i was seeing.

    this isn't a real solution, but you can hack the plugin to force it to treat the URL as a subdomain. i don't know what kind of side-effects this might have...

    in the file wordpress-https/lib/WordPressHTTPS.php, line 205 should look like this:
    $subdomain = false;

    i think that if you change that to:
    $subdomain = true;

    then it will always treat the secure URL as a valid subdomain (whether it is or not).

    might be worth trying that, then re-saving the settings in the plugin's admin page, restart services on the server, clear your browser's cookies for your secure and non-secure domains and try it all again.

  19. onerock
    Member
    Posted 2 years ago #

    Thanks so much! I will give this a shot. Here's to hoping it works.

  20. Mike Ems
    Member
    Plugin Author

    Posted 2 years ago #

    Determining if two domains truly share a common domain by only using string comparisons is not possible. When comparing two domains, it's likely that pieces of the domains will match. It's impossible to determine if that commonality is really a shared domain without knowing all possible top-level and second-level domains. That would require maintaining arrays of top-level and corresponding second-level domains in the code to check against. Due to the rapid change of domain name rules, it would be quite tedious to do that. For example, .uk has many, varying second-level domains.

  21. pjv
    Member
    Posted 2 years ago #

    maybe i'm not taking something into account.

    do you mean that for the purposes of this plugin it wouldn't work to call anything that looks like xxx.abc.def.gh (where xxx could be any arbitrary string) a subdomain of abc.def.gh?

    in other words, if there is a hostname and then a dot and then some arbitrary domain name string and you are comparing that to another host that is identical except for the hostname and dot, wouldn't it always work to call the first one a subdomain of the second for the purposes that this plugin serves?

    sorry if i am being dense.

  22. Mike Ems
    Member
    Plugin Author

    Posted 2 years ago #

    The problem isn't determining if domain A is a subdomain of domain B. The problem is determining what the common domain is between the two domains so that you can then use that common domain as the domain for the cookie. The only reason the subdomain check is done is so the plugin knows to create the extra cookies when logging in. If the plugin can not determine the base domain, it doesn't work anyway. Using simple string comparisons, you can never say for sure what the base domain is.

  23. pjv
    Member
    Posted 2 years ago #

    ahhh so.

    now i get it. thanks for the explanation.

  24. pjv
    Member
    Posted 2 years ago #

    so now i am in production, behind cloudflare, and i am back to subdomain: no, and only getting a cookie (i believe) for the secure host and not sitewide. so i don't appear as logged in (no admin bar) on the http host.

    the problem i now see, i believe identical to @onerock, is not the hostname problem that i solved on my test platform. it is directly and repeatably the result of running the site behind cloudflare. if i have the http host being proxied by cloudflare, then the plugin gives me subdomain: no and i get no admin bar after logging in. if i bypass cloudflare for the http host, i get subdomain: yes and everythign works as expected.

    among other things, cloudflare works as a reverse proxy. mike, do you think that changing the proxy setting in the plugin to auto or yes would have the right effect here? what does that proxy setting do?

  25. onerock
    Member
    Posted 2 years ago #

    @pjv - You have described exactly what I am experiencing.

  26. pjv
    Member
    Posted 2 years ago #

    i tried it with proxy set to yes.

    and the plugin did recognize the HTTPS host as a subdomain.

    but it still only sets logged-in cookies for the HTTPS host when the HTTP host is being proxied by cloudflare.

    i have inspected the cookies that are set. with the HTTP host bypassing cloudflare, the plugin sets logged-in cookies for both the HTTP and HTTPS hosts. when i put the HTTP host behind cloudflare, it only sets logged-in cookies for the HTTPS host.

    there are no changes whatsoever in the URLs between these two cases. the HTTPS host is always configured to bypass cloudflare. the only thing that changes is whether or not the HTTP host is being proxied by cloudflare.

  27. pjv
    Member
    Posted 2 years ago #

    on further experimentation, i was wrong about the proxy setting having any effect on the plugin recognizing the HTTPS host as a subdomain. i hadn't realized how much "cleaning up" i need to do to see the result of changing things clearly: clearing caches, saving settings, restarting the php-fpm process... anyway, now that i know all that, i can see that the proxy setting has no effect.

    when i have the HTTP host proxied by cloudflare the plugin will not set a domain-wide cookie.

    given that the HTTPS host is a simple subdomain of the HTTP host, i'm sure that there has to be a relatively simple fix for this. mike: is there anything that i can do to make it easy for you to diagnose? i can set up a user on my site and/or do any experiments that you want to suggest and log results.

    i'm also willing to dig around in the plugin's code and try things if you could point me in the direction of where to start. i've looked through it, and i write code, but not php and i have never done a wp plugin, so the whole structure is a little bewildering to me. i'm thinking that it has to be somewhere in the code that is validating the subdomain, but for the life of me i can't imagine what difference it can make having the HTTP host proxied by cloudflare. it's still the same URL, same hostname, same basename.

  28. Mike Ems
    Member
    Plugin Author

    Posted 2 years ago #

    The proxy setting is for bad proxies that don't properly set the X-Forwarded headers. That is all. You would know if this was the case because nothing would work properly without that setting on Yes.

    I don't know what you're talking about with "cleaning up" but you're probably experiencing redirect caching issues in Google Chrome, not your server.

    You've already identified the code that determines if the site a subdomain or not. The subdomain check is done upon installation/activation and when the settings are saved. The code simply isn't working in your setup for one reason or another.

    After researching this issue, I came to the conclusion that the best way to handle these situations is to manually set the cookie domain in the wp-config.php. Change it to '.yourdomain.com' to get a site-wide cookie set.

    I am currently working on improving this part of the code and will eventually remove the need for cURL requests to validate the cookie domain.

  29. pjv
    Member
    Posted 2 years ago #

    thanks, i had no idea you could set the cookie domain in wp-config.

    that seems to be working for me.

  30. Laurence
    Member
    Posted 1 year ago #

    Thank you for the set cookie domain tip. Adding this to the config file fixed the same problem for me that pjv was having. Also, it fixed the post/page previews errors (I was receiving 404 errors).

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WordPress HTTPS (SSL)
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.