I have an installation of WordPress on my EC2 instances with an ELB in front of them.
Currently my ELB listeners looks like this:
Protocal Port Forward-Protocol Port
Http 80 Http 80
Protocal Port Forward-Protocol Port
Https 443 Https 443
Inside my .htaccess file I have a re-routing to https incase the connection is not secured:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
That way I’m sure that my site is only accessed through https.
AWS ELB Best practice is to to forward https requests to the instance http port, to avoid instance overhead and double https processing.
The problem is that WordPress then try to load some of the content from unsecured site which prevent my site to be sealed.
What’s the right approach? should I leave it https to https ? if not, is there a way to force WordPress to load content only from https sites ?
You have to make sure that WordPress outputs every resource url with https.
You can use this https plugin to do so: it can rewrite url of external sites too, to make sure they use the correct protocol.
However:
If point 2 is not satisfied, you could set up a reverse proxy to serve site’s contents through your domain (you still have to use the plugin to rewrite site’s url).
I’ve found that to get WordPress working with HTTPS the following settings are necessary in wp-options.php:
Documentation:
https://codex.wordpress.org/Administration_Over_SSL
This should allow you to login, and then update the site URL with https protocol.
Without these settings, after switching to an HTTPS AWS ELB, the site was unusable:
I had to use these settings for AWS ELB, and for a Apache SSL direct.