WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 7 years ago

Last modified 7 years ago

#15277 closed enhancement (duplicate)

FORCE_SSL_LOGIN or _ADMIN go to death loops when using an load-balancer

Reported by: jackewit Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: Security Keywords: needs-patch
Focuses: Cc:

Description

Dear community,

first of all, I had to apologize for my english pronunciation. I am not a native speaker.

Now, here is my problem or rather my feature request and patch.

Problem

I use WordPress in an infrastructure with a load-balancer (hardware) before two webserver in a dmz and behind the dmz the database server. And (that is important) the connections between the load balancer and the webserver are always http - not https. The ssl certificate is installed on the load balancer. So the https connection is only between the client (browser) and the load balancer.

Now a want to use ssl for login and admin section.

IF I use FORCE_SSL_ADMIN or _LOGIN I got into a death loop, because:

1) connection client -> load balancer: https
2) connection load balancer -> webserver: http
3) webserver WordPress -> client: reload to https because of FORCE_SSL_*

4) connection client -> load balancer: https
5) connection load balancer -> webserver: http
6) webserver WordPress -> client: reload to https because of FORCE_SSL_*

7) goto 4 or 1

Feature Request

I want a FORCE_SSL_* light. Something like USE_SSL_* but do not make a redirect.

Patch (see attached)

I defined two constants USE_SSL_LOGIN and USE_SSL_ADMIN like the FORCE_SSL_* and the functions use_ssl_admin, use_ssl_login like the force_ssl_*. And I integrate these functions in the function get_site_url in wp-includes/link-template.php

At my installation, it works.

It would be great, if you can take over these two config constants.

I hope I could descriped my problem and solution clearly.

Great tool ... Iver Jackewitz

Attachments (1)

use_ssl_login_admin.patch (4.6 KB) - added by jackewit 10 years ago.
patch for the idea of a USE_SSL_LOGIN and USE_SSL_ADMIN

Download all attachments as: .zip

Change History (8)

@jackewit
10 years ago

patch for the idea of a USE_SSL_LOGIN and USE_SSL_ADMIN

#1 @Denis-de-Bernardy
10 years ago

@Jack: another solution is to install the certificate on each apache box, assuming your certificate is valid for a domain rather than an IP.

#2 @nacin
10 years ago

I'd rather see a filter that can toggle the redirect, or allow for this, over another constant (if it's necessary).

#3 @nacin
10 years ago

  • Keywords needs-patch added; SSL removed
  • Milestone changed from Awaiting Review to Future Release
  • Type changed from feature request to enhancement

#4 @jackewit
10 years ago

@Denis: I've got 10 Domains linking to my 2 Webserver via a multi-SSL-certificate. My technicans here will only install this certificate on the load balancer.

@nacin: "I'd rather see"??? Hmmm, well I'm not a native speaker so I'm not understanding your comment. Have you ment: I don't like the idea of new constants to toogle this - or - for me, it's okay.

#5 @skinnydog
10 years ago

Just got bit by this bug. Would be great if this functionality could be in core. Adding a SSL cert to each web server behind a LB is not a solution.

#6 @willnorris
7 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #15733.

#7 @helen
7 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.