How to fix WordPress HTTPS issues when behind an Amazon Load Balancer?

I've had this issue before. When running WordPress (or other PHP scripts) behind Amazon's EC2 Load Balancer, the scripts do not realize they are being ran on the https:// protocol and results in issues such as endless redirect loops, and HTTPS warnings ("Some content on this page is being requested in a non-secure way...").

I found a solution here, but requires modifying WordPress core, which is no good for updatability:

Is there a way to fix this without modifying WordPress core? I am using Apache 2.2.


As the link you gave suggested, for WordPress the issue lies in the is_ssl() function, which like most PHP software explicitly checks the $_SERVER['HTTPS'] and $_SERVER['SERVER_PORT'] to check if the current page is being accessed in the https:// context.

When your page is accessed over HTTPS, but the Amazon Load Balancer is performing SSL offloading and actually requesting your content on the non-SSL port 80, the webserver, PHP, or anything else for that matter, does not understand or see that it's being accessed over https://.

The fix for this, is that Amazon's ELB sends the de-facto standard X-Forwareded-Proto HTTP header, which we can use to figure out which protocol the client is actually using on the other side of the Load Balancer.

With Apache 2.2, you could use something along the lines of:

<IfModule mod_setenvif.c>
  SetEnvIf X-Forwarded-Proto "^https$" HTTPS

This simply reads the X-Forwared-Proto header, and if it equals https then, sets the HTTPS environment variable to 1. PHP will see this environment variable, and eventually it will become $_SERVER['HTTPS'] that equals 1 -- just like it would be for a "real" native SSL request.

Another option from the WordPress documentation is to add this to your wp-config.php:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)

In case anyone else was looking for the Nginx equivalent to this, here's what you need to do:

For rewrite setup you should add the following under the server block:

if ($http_x_forwarded_proto != 'https') {
    rewrite ^ https://$host$request_uri? permanent;

And for setting the HTTPS param you should add the following under the location ~ \.php$ block:

if ($http_x_forwarded_proto = 'https') {
    set $fe_https 'on';
fastcgi_param HTTPS $fe_https;

Remember to remove any other fastcgi_param HTTPS command if you have any (I had it in my fastcgi_params file).

Use this 4 step method to remove the redirect loop and mixed content problems when using ssl in WordPress.

1) Replace 'http://' with '//' in database - This create all the relative url's for images and other assets

2) in wp-config, define generic wp_home and wp_siteurl variables.

define('WP_HOME','//'. $_SERVER['SERVER_NAME']);
define('WP_SITEURL','//'. $_SERVER['SERVER_NAME']);

3) If you are using load balancer, use 'HTTP_X_FORWARDED_PROTO' server variable to figure out protocol used. To do this, add this line in wp-config

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)

4) Finally in .htaccess, use this line if you are behind loadbalancer to redirect all traffic to https.

 # http to https
 RewriteCond %{HTTP:X-Forwarded-Proto} =http
 RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

Neither of the above solved the Mixed Content errors for me unfortunately. However what did work was adding the protocol to the WP_HOME && WP_SITEURL variables in wp-config.php e.g.

define( 'WP_HOME', 'https://' . $_SERVER['HTTP_HOST']); define( 'WP_SITEURL', WP_HOME );

After that all URLs in the source began with https and all the Mixed Content errors disappeared.

Need Your Help

Android: Customizing recent apps thumbnail (screenshot by default)

java android

The app I'm working on shows some sensitive information that must not be shown on the "Recent Tasks" screen when stopping the app by pressing the home button.

Karma/Jasmine times out without running tests

javascript node.js karma-runner karma-jasmine webpack

I'm trying to run Karma/Jasmine from Grunt on a project generated with