By nu everest


2016-12-23 20:20:37 8 Comments

First off my server is sitting behind a load balancer. My SSL certificate sits on the load balancer and handles HTTPS. The data coming in on port 443 is forwarded to the Wordpress server using HTTP on port 80.

However, wordpress and php do not know my server configuration. This causes the browser to get suspicious about the validity of my valid SSL certificate.

To fix this I added the following code to functions.php. I found this code here and the codex agrees.

/**
 * Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
 */
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS']='on';
}

This works great for the frontend, but now the /wp-admin/ is inaccessible even with my Admin account. After logging in I receive a message, "Sorry, you are not allowed to access this page." No other help is provided.

So I searched through the wp-admin folder and discovered that the words "Sorry, you are not allowed to access this page." appear 17 different times.

Most of these error messages are associated with a user permissions check.

How do I keep HTTPS 'on' and retain admin access?

Summary:

  • Before adding HTTP_X_FORWARDED_PROTO logic to functions.php I can access wp-admin/
  • After adding HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/
  • After removing HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/

UPDATE:

I've discovered that the error message is coming from wp-admin/menu.php and this chunk of code at the bottom. I added menu.php to the end of the error to figure out that it was this file.

if ( !user_can_access_admin_page() ) {

    /**
     * Fires when access to an admin page is denied.
     *
     * @since 2.5.0
     */
    do_action( 'admin_page_access_denied' );

    wp_die( __( 'Sorry, you are not allowed to access this page. menu.php'), 403 );
}

I still do not understand how to fix this.

1 comments

@nu everest 2016-12-24 01:59:27

Special thanks to user42826.

According to the codex:

If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop. To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header (assuming you have properly configured the reverse proxy to set that header).

The following actions will solve the problem.

Add this to wp-config.php. (codex reference)

/* SSL Settings */
define('FORCE_SSL_ADMIN', true);

/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}

Remove this from functions.php as it is unnecessary.

/**
 * Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
 */
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS']='on';
}

@user42826 2016-12-24 03:02:41

The reason is that secure sessions cookies get lost when behind the load balancer because LB is doing SSL but backend is plain http. Nice to see others working on enterprise level architectures ;)

@nu everest 2016-12-24 15:32:20

@user42826 What is nice about this setup is that I can just comment out FORCE_SSL_ADMIN if I want to prohibit admin access, or are there other side effects that should cause me to reconsider this line of thinking?

@user42826 2016-12-25 18:42:58

In your setup, it sounds like not setting FORCE_SSL_ADMIN prevents admin access, but there are better ways to do that depending on your requirements. Examples: prevent wp-admin or wp-login.php access in .htaccess or apache config, remove WP native authentication via plugin, re-architecture WP so that wp-admin url is different than public url, etc

@Aaroninus 2017-09-14 16:02:02

Make sure to add this code before the require_once(ABSPATH . 'wp-settings.php'); line. Special thanks to jtl in this answer.

@baptx 2017-12-21 12:33:25

@Aaroninus thanks, I use Cloudflare flexible SSL and without your comment I would have spent time searching again. I found this related question previously: wordpress.stackexchange.com/questions/170165/…

@Krishnadas PC 2018-09-11 08:36:23

It worked on amazon instance. Was struggling moving the code to top did the job.

Related Questions

Sponsored Content

1 Answered Questions

My site thinks it's secure when it is fact not

  • 2016-07-14 23:00:12
  • Adam Patterson
  • 38 View
  • 0 Score
  • 1 Answer
  • Tags:   security ssl https

4 Answered Questions

[SOLVED] How to use Wordpress multisite with mixed HTTP and HTTPS sites?

8 Answered Questions

[SOLVED] Multisite database upgrade SSL error

2 Answered Questions

[SOLVED] wp-admin redirecting to https, denying login

1 Answered Questions

[SOLVED] https and wordpress breaks posts

Sponsored Content