WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 10 months ago

#38273 closed defect (bug) (duplicate)

HTTPS install is broken

Reported by: yohgaki Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords:
Focuses: Cc:
PR Number:

Description

HTTPS install results in no admin access.

ENV

OS: CentOS7 (Both reverse proxy and apache server)
Nginx: 1.10.1 (Default package)
Apache: 2.4.6 (Default package)
PHP: 7.1RC3 (remi-php71 repository)

STEP

  1. Set up web system so that only HTTPS is used. All HTTP traffic is redirected to HTTPS by nginx reverse proxy, backend web server is apache that only waits HTTP. (" add_header Content-Security-Policy upgrade-insecure-requests; " is needed for nice installation page, but this is minor issue)
  2. Add $_SERVER['HTTPS']='on'; to wp-config.php to avoid redirect loop.
  3. Install new wordpress to the server.
  4. Login with the new account created.
  5. Login succeeds, but the account does not have any admin page permission.

Since the first admin account cannot do anything, system is completely unusable.

NOTES

Install with HTTP then switching to HTTPS results in the same. i.e. Change site url config to https:// from http://.

This could be 7.1 bug. I don't see any PHP errors in log.

Change History (6)

#1 @dd32
3 years ago

  • Keywords reporter-feedback added

add_header Content-Security-Policy upgrade-insecure-requests; is needed for nice installation page, but this is minor issue
Add $_SERVER['HTTPS']='on'; to wp-config.php to avoid redirect loop.

This part sounds like the HTTPS status from nginx isn't being passed through to PHP correctly.
Can you provide example contents of $_SERVER on your install before WordPress loads?

#2 @yohgaki
3 years ago

I've tried with standalone https server. You can reproduce this with local self signed certificate https server also. (Just ignore TLS warnings/errors)

Install with "https://" URL or change site URL from "http://" to "https://" after install.

Last edited 3 years ago by yohgaki (previous) (diff)

#3 @dd32
3 years ago

All HTTP traffic is redirected to HTTPS by nginx reverse proxy, backend web server is apache that only waits HTTP

I missed this when reading the ticket.

In short: you should consider configuring your nginx/apache configuration better. Apache (And therefor PHP & WordPress) has no idea that it's running in a SSL environment, which is the root cause of your bad experience.

The standard method would be using X-Real-IP and X-Forwarded-Proto to pass the end-users IP and the SSL status through to Apache, when combined with the appropriate Apache configs would allow everything to work transparently.

In longer form..
WordPress is unable to detect that it's running on a SSL service, it see's HTTP requests, attempts to redirect to HTTPS requests and ends up in a loop.
During install, WordPress attempts to determine it's own URL, and not seeing the HTTPS protocol, sets to a http:// url.

In the event your server is not configured to pass through the HTTPS status, then it's up to you to setup WordPress correctly.
That involves either a) creating the wp-config.php file manually, and adding $_SERVER['HTTPS']='on'; to it prior to install or b) Installing WordPress, and correcting the siteurl and home options in the database to https:// (or using the constants in wp-config.php).

In that case, WordPress has no idea that it's being installed on a HTTPS service until you add $_SERVER['HTTPS']='on'; to your wp-config.php file, as a result, it's up to you to configure the service correctly (both at the nginx & apache layers) and/or set the URLs for WordPress correctly.

I'm going to close this as a duplicate of #15733 and the many many many other tickets about SSL and bad server configs.

#4 @yohgaki
3 years ago

Thank you for your comment!!
It turned out my wp-config.php was wrong. Apologies for confusion. It seems I messed up /etc/hosts.

https://codex.wordpress.org/Administration_Over_SSL
It says "Note: FORCE_SSL_ADMIN should be set before wp-settings.php is required.", but it does not state any other SSL related constant/vars must be defined before wp-settings.php.

BAD - This only fixes redirect loop!

<?php
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
$_SERVER['HTTPS']='on'; // <<== Fix redirect loop, but it does NOT work.

GOOD

<?php
$_SERVER['HTTPS']='on';
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

I append additional config at the end of config file mostly. If BAD config didn't fix redirect loop, I might have noticed my mistake earlier. I think it may be good to mention this explicitly in the document, or better yet add comment that "wp-settings.php" should be included after additional var/constant definitions.

For the record, working wp-config.php # tail -n 30 wp-config.php is:

 
/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** SSL Support **/
function isSecure() {
  if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    return TRUE;
  }
  return FALSE;
}

$web_site     = 'blog.ohgaki.net';
$schema       = isSecure() ? 'https://' : 'http://';
$web_site_url = $schema . $web_site;
 
define('WP_HOME',    $web_site_url);
define('WP_SITEURL', $web_site_url);

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php'); // <<== THIS MUST BE AT THE END OF wp-config.php

Last edited 3 years ago by yohgaki (previous) (diff)

#5 @rubo77
13 months ago

  • Severity changed from normal to blocker
  • Version changed from 4.6.1 to 4.9.8

This is still broken!

I had to fix it on my installation by adding this line to the default wp-config-sample.php:

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') $_SERVER['HTTPS']='on';

I made sure that I put it before the following line:

require_once(ABSPATH . 'wp-settings.php');

Last edited 13 months ago by rubo77 (previous) (diff)

#6 @desrosj
10 months ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Severity changed from blocker to normal
  • Status changed from new to closed
  • Version 4.9.8 deleted

I am going to close this one out as a duplicate of #15733 (the original suggestion). As expressed in #38273:comment#, WordPress has no way of detecting if it is running on an SSL service and $_SERVER['HTTPS'] = 'on'; is required in the wp-config.php file.

@rubo77 it seems that you are describing the same issue, but I can't say for sure without more information. If you are still experiencing an issue, please open a new ticket with more details.

Note: See TracTickets for help on using tickets.