WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#26800 closed defect (bug) (fixed)

Multisite is hardcoded to redirect to http:// for invalid domains

Reported by: glen.pike.hf Owned by:
Milestone: 3.9 Priority: low
Severity: minor Version: 3.0
Component: Bootstrap/Load Keywords: has-patch dev-feedback
Focuses: multisite Cc:
PR Number:

Description

We have a multisite installation configured for sub-folders, which is served to the non-logged-in users over SSL.

Scenario is that WP is used as a help system with a number of language / feature translations for different levels of customer. The install sits on a server behind a proxy serving on SSL. Customers will have different domains depending on who they are, but their help should be served from the default site.

If we use any domain which does not match the DOMAIN_CURRENT_SITE value, the user is redirected to DOMAIN_CURRENT_SITE + PATH_CURRENT_SITE, etc.

The problem we have is that ms-settings.php is hardcoded to use "http://" for this redirection. This breaks our site for users as we don't serve on port 80.

The request is to change ms-settings.php to check for SSL and use the correct protocol for redirection.

We've tried some different plugins to resolve this, but have not successfully managed to avoid the initial redirection.

Setup:

Configure server to use SSL only.
Install Wordpress in a subdirectory of the web server's document root.
Enable multisite and configure.
Add a second site.
Create a "dummy" domain in your hosts file to point at the server.
Visit the Wordpress install using the dummy domain on SSL

Attachments (1)

26800-mu-ssl-redirect.patch (1.5 KB) - added by glen.pike.hf 6 years ago.
has-patch needs-testing

Download all attachments as: .zip

Change History (9)

@glen.pike.hf
6 years ago

has-patch needs-testing

#1 @johnbillion
6 years ago

  • Component changed from General to Multisite
  • Keywords has-patch added
  • Summary changed from Wordpress Multisite is hardcoded to redirect to http:// for invalid domains to Multisite is hardcoded to redirect to http:// for invalid domains
  • Type changed from enhancement to defect (bug)

Related: #20204

#2 follow-up: @jeremyfelt
6 years ago

  • Keywords dev-feedback added
  • Milestone changed from Awaiting Review to Future Release
  • Priority changed from normal to low
  • Severity changed from normal to minor
  • Version changed from 3.8 to 3.0

Relevant code in ms-settings.php

if ( $current_site && ! $current_blog ) {
	if ( $current_site->domain != $_SERVER[ 'HTTP_HOST' ] ) {
		header( 'Location: http://' . $current_site->domain . $current_site->path );
		exit;
	}

It seems the answer here isn't necessarily checking for the scheme of the request, but checking for a desired scheme assigned to the $current_site->domain the redirect will be made to. If the domain requested is invalid, there's nothing saying that the scheme is valid.

For this block of code in ms-settings.php, that would be likely be a network level setting as we're redirecting to the network's main page.

I guess one question would be whether forcing SSL in this scenario should occur in WordPress core, or in the web server configuration as an immediate redirect.

#3 @jeremyfelt
6 years ago

Thanks @glen.pike.hf for taking the time to report and submit the patch!

#4 @jeremyfelt
6 years ago

  • Component changed from Multisite to Bootstrap/Load
  • Focuses multisite added

#5 in reply to: ↑ 2 @glen.pike.hf
6 years ago

It seems the answer here isn't necessarily checking for the scheme of the request, but checking for a desired scheme assigned to the $current_site->domain the redirect will be made to. If the domain requested is invalid, there's nothing saying that the scheme is valid.

That makes sense to me.

I guess one question would be whether forcing SSL in this scenario should occur in WordPress core, or in the web server configuration as an immediate redirect.

Our particular Wordpress setup is such that we have a WP host on port 80, but it is behind a proxy serving on SSL. The visitor sees WP on https:// but Wordpress' Apache config is not.

#6 @hopetommola
5 years ago

I think this may be related to the issue I'm having, so prior to submitting a new ticket, I thought I would comment. We have a subdirectory multisite installed with https set up on the server. All pages were being called through https, but the media in the pages and posts were http, thus throwing browser errors.

After scrutiny, the short story is all media is forced http, because the home and siteurl urls are somehow hardcoded to http, even though the main blog is https. And the issue can be completely and fully resolved by manually adding "the magic s" to the home and siteurl urls in the wp_X_options table related to that subsite.

This ticket was mentioned in Slack in #core by jeremyfelt. View the logs.


5 years ago

#8 @jeremyfelt
5 years ago

  • Milestone changed from Future Release to 3.9
  • Resolution set to fixed
  • Status changed from new to closed

It looks like this was fixed as a side effect of [27663] for #21143. We now use the scheme of the request to build the redirect URL.

Last edited 5 years ago by jeremyfelt (previous) (diff)
Note: See TracTickets for help on using tickets.