#15277 closed enhancement (duplicate)
FORCE_SSL_LOGIN or _ADMIN go to death loops when using an load-balancer
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.0.1 |
Component: | Security | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Dear community,
first of all, I had to apologize for my english pronunciation. I am not a native speaker.
Now, here is my problem or rather my feature request and patch.
Problem
I use WordPress in an infrastructure with a load-balancer (hardware) before two webserver in a dmz and behind the dmz the database server. And (that is important) the connections between the load balancer and the webserver are always http - not https. The ssl certificate is installed on the load balancer. So the https connection is only between the client (browser) and the load balancer.
Now a want to use ssl for login and admin section.
IF I use FORCE_SSL_ADMIN or _LOGIN I got into a death loop, because:
1) connection client -> load balancer: https
2) connection load balancer -> webserver: http
3) webserver WordPress -> client: reload to https because of FORCE_SSL_*
4) connection client -> load balancer: https
5) connection load balancer -> webserver: http
6) webserver WordPress -> client: reload to https because of FORCE_SSL_*
7) goto 4 or 1
Feature Request
I want a FORCE_SSL_* light. Something like USE_SSL_* but do not make a redirect.
Patch (see attached)
I defined two constants USE_SSL_LOGIN and USE_SSL_ADMIN like the FORCE_SSL_* and the functions use_ssl_admin, use_ssl_login like the force_ssl_*. And I integrate these functions in the function get_site_url in wp-includes/link-template.php
At my installation, it works.
It would be great, if you can take over these two config constants.
I hope I could descriped my problem and solution clearly.
Great tool ... Iver Jackewitz
Attachments (1)
Change History (8)
#1
@
14 years ago
@Jack: another solution is to install the certificate on each apache box, assuming your certificate is valid for a domain rather than an IP.
#2
@
14 years ago
I'd rather see a filter that can toggle the redirect, or allow for this, over another constant (if it's necessary).
#3
@
14 years ago
- Keywords needs-patch added; SSL removed
- Milestone changed from Awaiting Review to Future Release
- Type changed from feature request to enhancement
#4
@
14 years ago
@Denis: I've got 10 Domains linking to my 2 Webserver via a multi-SSL-certificate. My technicans here will only install this certificate on the load balancer.
@nacin: "I'd rather see"??? Hmmm, well I'm not a native speaker so I'm not understanding your comment. Have you ment: I don't like the idea of new constants to toogle this - or - for me, it's okay.
#5
@
14 years ago
Just got bit by this bug. Would be great if this functionality could be in core. Adding a SSL cert to each web server behind a LB is not a solution.
patch for the idea of a USE_SSL_LOGIN and USE_SSL_ADMIN