How to fix WordPress HTTPS issues when behind an Amazon Load Balancer?

Question

I've had this issue before. When running WordPress (or other PHP scripts) behind Amazon's EC2 Load Balancer, the scripts do not realize they are being ran on the https:// protocol and results in issues such as endless redirect loops, and HTTPS warnings ("Some content on this page is being requested in a non-secure way...").

I found a solution here, but requires modifying WordPress core, which is no good for updatability: https://wordpress.org/support/topic/when-behind-amazon-web-services-elastic-load-balancer-causes-endless-redirect

Is there a way to fix this without modifying WordPress core? I am using Apache 2.2.

score 86 · Accepted Answer · edited Jul 26 '20 at 10:47

86

Like the link, you gave suggested, for WordPress the issue lies in the is_ssl() function, which like most PHP software explicitly checks the $_SERVER['HTTPS'] and $_SERVER['SERVER_PORT'] to check if the current page is being accessed in the https:// context.

When your page is accessed over HTTPS, but the Amazon Load Balancer is performing SSL offloading and actually requesting your content on the non-SSL port 80, the webserver, PHP, or anything else for that matter, does not understand or see that it's being accessed over https://.

The fix for this is that Amazon's ELB sends the de-facto standard X-Forwarded-Proto HTTP header, which we can use to figure out which protocol the client is actually using on the other side of the Load Balancer.

With Apache 2.2, you could use something along the lines of:

<IfModule mod_setenvif.c>
  SetEnvIf X-Forwarded-Proto "^https$" HTTPS
</IfModule>

This simply reads the X-Forwarded-Proto header. If this value equals https then the HTTPS environment variable is set to 1. PHP will see this environment variable, and eventually, it will become $_SERVER['HTTPS'] that equals 1 -- just like it would be for a "real" native SSL request.

edited Jul 26 '20 at 10:47

MLavoie

9,671
41
36
56

answered Jun 08 '15 at 06:29

A.B. Carroll

2,404
2
17
19

2

Works fine, you need to make sure you've enabled the apache2 module setenvif. – Kladskull May 15 '17 at 17:47
simply added to the apache configuration (image from bitnami) and it works. – sebge2 Jan 19 '18 at 17:44
Note that many proxy situations use X-Forwarded-Scheme in a synonmous fashion. Generally safe to set both. – djsadinoff Feb 15 '18 at 09:57
1

Works on Apache2.4 as well – Jeremy Oct 09 '18 at 19:07
This answer works best for me because it doesn't only just work on Wordpress, it works on Laravel as well. – Tan Jia Ming Mar 06 '20 at 02:35

zeroimpl · Answer 2 · 2020-05-18T14:39:43.640

43

Another option from the WordPress documentation is to add this to your wp-config.php:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
       $_SERVER['HTTPS']='on';

edited May 18 '20 at 14:39

answered Jan 29 '17 at 04:29

zeroimpl

2,746
22
19

This is the method I used. Any idea how to force people to HTTPS if they access the page via HTTP? – Matt Winer Feb 02 '17 at 21:59
You could try adding `force_ssl_content(true);` to the wp-config.php as well. Normally I would do that via an Apache rewrite rule or in the load balancer config though. – zeroimpl Feb 03 '17 at 03:30
@MattWiner if you're using AWS ELB, you need to configure a separate listener on port 80, route that through to your EC2 server on another port (81 for example) and there do a url rewrite to redirect any requests to the HTTPS version of the original URL. Then the web browser will request the HTTPS url instead. – Action Dan May 12 '18 at 22:06
Simple and clean solution +1. Worked for my WordPress site serving on HTTP behind AWS load balancer, which has SSL enabled. – ejazazeem Jan 08 '19 at 21:08
you can now configure redirects from http to https on the application load balancer directly – wkhatch Mar 05 '19 at 02:51

score 15 · Answer 3 · edited Aug 09 '23 at 20:11

15

In case anyone else was looking for the Nginx equivalent to this, here's what you need to do:

To ensure browsers use https, you can add the following under the server block:

if ($http_x_forwarded_proto != 'https') {
    return 301 https://$host$request_uri;
}

And for setting the HTTPS param you should add the following under the location ~ \.php$ block:

if ($http_x_forwarded_proto = 'https') {
    set $fe_https 'on';
}
fastcgi_param HTTPS $fe_https;

Remember to remove any other fastcgi_param HTTPS command if you have any (I had it in my fastcgi_params file).

edited Aug 09 '23 at 20:11

Tyler Collier

11,489
9
73
80

answered Oct 27 '17 at 22:28

Gal Talmor

1,004
9
14

1

You saved my butt in production! Cheers! – Paté Dec 16 '17 at 04:53
1

Glad to help. Cheers :) – Gal Talmor Dec 17 '17 at 09:47

score 13 · Answer 4 · edited Apr 13 '19 at 17:45

Use this 4 step method to remove the redirect loop and mixed content problems when using ssl in WordPress.

1) Replace 'http://' with '//' in database - This create all the relative url's for images and other assets

2) in wp-config, define generic wp_home and wp_siteurl variables.

define('WP_HOME','//'. $_SERVER['SERVER_NAME']);
define('WP_SITEURL','//'. $_SERVER['SERVER_NAME']);

3) If you are using load balancer, use 'HTTP_X_FORWARDED_PROTO' server variable to figure out protocol used. To do this, add this line in wp-config

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';

4) Finally in .htaccess, use this line if you are behind loadbalancer to redirect all traffic to https.

 # http to https
 RewriteCond %{HTTP:X-Forwarded-Proto} =http
 RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

This solution could be pointed out the ELB from port 443 to 80 — Amirul, Jun 27 '19 at 09:42

score 5 · Answer 5 · answered Jul 10 '17 at 13:45

Neither of the above solved the Mixed Content errors for me unfortunately. However what did work was adding the protocol to the WP_HOME && WP_SITEURL variables in wp-config.php e.g.

define( 'WP_HOME', 'https://' . $_SERVER['HTTP_HOST']); define( 'WP_SITEURL', WP_HOME );

After that all URLs in the source began with https and all the Mixed Content errors disappeared.

score 2 · Answer 6 · answered Apr 06 '22 at 05:54

My Server Environment is: Ubuntu 20.04.3 LTS, PHP 8.0.11, nginx/1.18.0

The following settings in /etc/nginx/sites-available/default worked for me:

server {

    listen 80;
    listen [::]:80;
    root /var/www/html;
    index  index.php index.html index.htm;
    server_name ChangeDomainName.com www.ChangeDomainName.com;

    if ($http_x_forwarded_proto != 'https') {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location / {
            try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php8.0-fpm.sock;
            if ($http_x_forwarded_proto = 'https') {
                set $fe_https 'on';
            }
            fastcgi_param HTTPS $fe_https;
            fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

score 0 · Answer 7 · answered May 04 '23 at 12:50

Regarding almost perfect @A.B. Carroll answer, I would suggest to set this enviroment variable to "on":

<IfModule mod_setenvif.c>
  SetEnvIf X-Forwarded-Proto "^https$" HTTPS=on
</IfModule>

In my Dockerfile I am including this line to solve Apache issues with working behind reverse proxy (ie Traeffik):

RUN echo "<IfModule mod_setenvif.c>\nSetEnvIf X-Forwarded-Proto \"^https$\" HTTPS=on\n</IfModule>" > /etc/apache2/conf-enabled/ssl_offload.conf

How to fix WordPress HTTPS issues when behind an Amazon Load Balancer?

7 Answers7

Linked