Work

Configuring WordPress with FORCE_SSL_ADMIN with shared SSL and hardware load balancing

While updating our WordPress configuration to deal with a semi-related problem, I wanted to move from the configuration we’d be using which required all administrative logins to WordPress to use SSL encryption to a more secure model that required the entire administrative session be encrypted.

These two choices are controlled via settings in the wp-config.php file.  They’re detailed here at WordPress.org if you’re looking for more information.

After modifying the wp-config.php by setting the FORCE_SSL_ADMIN instruction to “TRUE”, any attempt to access the WordPress administrator would result in a “Too many redirects” error, getting the administrative interface stuck in an infinite redirect loop as a result of the way the is_ssl() function is processed in the wp-includes/functions.php file and some “out of the box” incompatibilities with SSL certificates being provided as shared wild card certificates from a hardware load balancer.

Fortunately, WordPress includes information on how to resolve this issue in their “Administration Over SSL” article.  The relevant portion is included in this bit of information:

Using a Reverse Proxy

If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop. To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header (assuming you have properly configured the reverse proxy to set that header).

Example

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
       $_SERVER['HTTPS']='on';

What this bit of code is doing is first instructing WordPress to require that all interaction with the admin be done over SSL.  Then it’s expecting the hardware load balancer to pass an HTTP_X_FORWARDED_PROTO variable letting WordPress know that the request came in to the the load balancer as an HTTPS request.  From their, the local server variable that WordPress uses in its is_ssl() function can be set to match the variable provided by the load balancer so that the function will work properly and the infinite redirect loop can be avoided.

Unfortunately, this configuration did not work for us initially.   After a bit of troubleshooting, it became clear that our load balancer wasn’t passing an HTTP_X_FORWARDED_PROTO variable at all – which presents a bit of a problem if you’re attempting to use it later to set the value of another variable.

The missing piece of the puzzle was working with our great Systems guys to get an iRule added at the load balancer that would insert an appropriate value for HTTPS requests, and then pass that variable along to the web server so it could be used in the wp-config.php code.

The iRule itself looks like this:

when HTTP_REQUEST {
HTTP::header insert X-Forwarded-Proto:“https”
}

More information on this iRule, including the context of the thread the final solution was found in is available at this link.

UPDATED: To make sure that an X-Forwarded-Proto was inserted correctly whether the request was HTTP or HTTPS, another iRule was added just like the first (leaving the s off of the ‘http’ portion).  Each iRule was then added to its respective Virtual Server Resources tab.

To accomplish X-Forward-Proto using iRules you must use 2 separate iRules if implementation is required for both http and https.  The rules are written as follows:

-http

when HTTP_REQUEST {
HTTP::header insert X-Forwarded-Proto http

}

-https

when HTTP_REQUEST {
HTTP::header insert X-Forwarded-Proto https

}

The first iRule (http) will be used on the Http Virtual Server within the F5.  The second, on the https Virtual Server.

This same thing can be accomplished without using iRules (which is preferred).  You do so by modifying the Virtual Server’s http & Virtual Server’s https profile.  On the http profile go to the “Request Header Insert” section and fill in the blank with “X-Forwarded-Proto:http”…do the same thing on the https profile filling in the blank with “X-Forwarded-Proto:https”.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

Connect with Facebook

4 × 1 =

*