WordPress.org

Make WordPress Core

Opened 21 months ago

Last modified 21 months ago

#38273 new defect (bug)

HTTPS install is broken

Reported by: yohgaki Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.6.1
Component: Upgrade/Install Keywords: reporter-feedback
Focuses: Cc:

Description

HTTPS install results in no admin access.

ENV

OS: CentOS7 (Both reverse proxy and apache server) Nginx: 1.10.1 (Default package) Apache: 2.4.6 (Default package) PHP: 7.1RC3 (remi-php71 repository)

STEP

  1. Set up web system so that only HTTPS is used. All HTTP traffic is redirected to HTTPS by nginx reverse proxy, backend web server is apache that only waits HTTP. (" add_header Content-Security-Policy upgrade-insecure-requests; " is needed for nice installation page, but this is minor issue)
  2. Add $_SERVER['HTTPS']='on'; to wp-config.php to avoid redirect loop.
  3. Install new wordpress to the server.
  4. Login with the new account created.
  5. Login succeeds, but the account does not have any admin page permission.

Since the first admin account cannot do anything, system is completely unusable.

NOTES

Install with HTTP then switching to HTTPS results in the same. i.e. Change site url config to https:// from http://.

This could be 7.1 bug. I don't see any PHP errors in log.

Change History (4)

#1 @dd32
21 months ago

  • Keywords reporter-feedback added

add_header Content-Security-Policy upgrade-insecure-requests; is needed for nice installation page, but this is minor issue Add $_SERVER['HTTPS']='on'; to wp-config.php to avoid redirect loop.

This part sounds like the HTTPS status from nginx isn't being passed through to PHP correctly. Can you provide example contents of $_SERVER on your install before WordPress loads?

#2 @yohgaki
21 months ago

I've tried with standalone https server. You can reproduce this with local self signed certificate https server also. (Just ignore TLS warnings/errors)

Install with "https://" URL or change site URL from "http://" to "https://" after install.

Last edited 21 months ago by yohgaki (previous) (diff)

#3 @dd32
21 months ago

All HTTP traffic is redirected to HTTPS by nginx reverse proxy, backend web server is apache that only waits HTTP

I missed this when reading the ticket.

In short: you should consider configuring your nginx/apache configuration better. Apache (And therefor PHP & WordPress) has no idea that it's running in a SSL environment, which is the root cause of your bad experience.

The standard method would be using X-Real-IP and X-Forwarded-Proto to pass the end-users IP and the SSL status through to Apache, when combined with the appropriate Apache configs would allow everything to work transparently.

In longer form.. WordPress is unable to detect that it's running on a SSL service, it see's HTTP requests, attempts to redirect to HTTPS requests and ends up in a loop. During install, WordPress attempts to determine it's own URL, and not seeing the HTTPS protocol, sets to a http:// url.

In the event your server is not configured to pass through the HTTPS status, then it's up to you to setup WordPress correctly. That involves either a) creating the wp-config.php file manually, and adding $_SERVER['HTTPS']='on'; to it prior to install or b) Installing WordPress, and correcting the siteurl and home options in the database to https:// (or using the constants in wp-config.php).

In that case, WordPress has no idea that it's being installed on a HTTPS service until you add $_SERVER['HTTPS']='on'; to your wp-config.php file, as a result, it's up to you to configure the service correctly (both at the nginx & apache layers) and/or set the URLs for WordPress correctly.

I'm going to close this as a duplicate of #15733 and the many many many other tickets about SSL and bad server configs.

#4 @yohgaki
21 months ago

Thank you for your comment!! It turned out my wp-config.php was wrong. Apologies for confusion. It seems I messed up /etc/hosts.

https://codex.wordpress.org/Administration_Over_SSL It says "Note: FORCE_SSL_ADMIN should be set before wp-settings.php is required.", but it does not state any other SSL related constant/vars must be defined before wp-settings.php.

BAD - This only fixes redirect loop!

<?php
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
$_SERVER['HTTPS']='on'; // <<== Fix redirect loop, but it does NOT work.

GOOD

<?php
$_SERVER['HTTPS']='on';
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

I append additional config at the end of config file mostly. If BAD config didn't fix redirect loop, I might have noticed my mistake earlier. I think it may be good to mention this explicitly in the document, or better yet add comment that "wp-settings.php" should be included after additional var/constant definitions.

For the record, working wp-config.php # tail -n 30 wp-config.php is:

 
/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** SSL Support **/
function isSecure() {
  if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    return TRUE;
  }
  return FALSE;
}

$web_site     = 'blog.ohgaki.net';
$schema       = isSecure() ? 'https://' : 'http://';
$web_site_url = $schema . $web_site;
 
define('WP_HOME',    $web_site_url);
define('WP_SITEURL', $web_site_url);

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php'); // <<== THIS MUST BE AT THE END OF wp-config.php

Last edited 21 months ago by yohgaki (previous) (diff)
Note: See TracTickets for help on using tickets.