I’m using WordPress in a NginX server proxying to an apache server which serves the pages. Recently we wanted to force the use of SSL at least in the Admin section, so we installed the WordPress HTTPS plugin. The server sections in NginX are properly configured, but when I activate the “Force SSL for admin” option I fall on a redirect loop.
I don’t think that it’s a cookie issue. If you need more info, I’ll pass it to you.
I recently struggled with a similar issue, so I’ll offer a couple of additional pieces of information for people who search for this question.
FORCE_SSL_ADMIN
option in your wp-config.php file./* That's all, stop editing! Happy blogging. */
line.is_ssl()
function is returningfalse
. For example, you may be running behind a reverse proxy that is doing SSL offloading. If that’s the case, then your users enterhttps://yourwordpresssite
, but the SSL offloader handles the decryption and by the time your server receives the request, the request is no longer SSL, and your server seeshttp://yourwordpresssite
. If you’re stuck here, again the codex has good advice, assuming your reverse proxy is properly configured. See the instructions here: (http://codex.wordpress.org/Administration_Over_SSL#Using_a_Reverse_Proxy).If that still doesn’t work, then your reverse proxy may not be setting the
HTTP_X_FORWARDED_PROTO
header. Unfortunately, none of this stuff is standardized, and there’s more than one way to indicate that SSL offloading has taken place. The way used by our load balancer (Citrix Netscaler) is with the header Microsoft created calledFront-End-Https
. You can see this header as one of the common non-standard response headers listed on wikipedia here: (http://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Common_non-standard_response_headers). Note that by the time your server sees this header, it will look likeHTTP_FRONT_END_HTTPS
. Note also that Netscaler doesn’t send this header by default — you have to configure it to add the header. This is documented here, and there’s a nice video demo of how to do it here.In the end, because we’re doing our entire site with HTTPS only, I elected to use the wordpress-https plugin, which does a good job of handling edge cases (like other wordpress plugins that have hard coded http:// URLs that will cause warnings on your secure pages). I patched the plugin to recognize the
HTTP_FRONT_END_HTTPS
header and am submitting a patch to the author, so at some point this should be support by that plugin.Good luck!
The check for
is_ssl()
is not really the best in WP. You can take this mu-plugin to get a better check. Then simply stick tight to the recommendations of the codex.Ad the WordPress HTTPS-Plugin) I wouldn’t count too much on this plugin when I look at trunk…
MU-Plugins in Codex
I solved this issue for me, by going into the site’s CDN (Cloudflare) and setting the SSL mode to ‘full’
Previously it was on ‘flexible’ which I suppose was causing or allowing the mix of http and https requests.
Even though I had the CDN on ‘developer’ mode (which I thought stopped the CDN from affecting the site), while I was troubleshooting this issue, the SSL setting still had an affect.