wordpress with Nginx + fastcgi_cache with ssl but behind haproxy

Ali Mohsin aliofthemohsins at gmail.com
Tue Feb 9 12:53:55 UTC 2021


Try activating ssl without the plugin. Change the url in wordpress settings.

On Tue, 9 Feb 2021, 5:32 PM Rainer Duffner, <rainer at ultra-secure.de> wrote:

> It’s setup this way, because haproxy can’t really do vhosts and sometimes
> you need to limit access per vhost.
>
> OTOH, haproxy can do restrictions on a per-url basis much better (IMO)
> than Nginx.
>
> There are up to several hundred vhosts there and sometimes you want to
> limit stuff on any one of them.
>
> Plus, as I said, haproxy’s handling of certificates is sometimes very
> convenient.
>
> I run let’s encrypt on almost all of these vhosts and due to the way they
> are provisioned, it’s much easier than dealing with the individual Nginx
> configuration files.
>
>
>
> I will try and activate SSL without the Really Simple SSL plugin, maybe it
> is doing something weird - though with all the SSL offloading going on
> these days, you’d think this isn’t a too unusual case…
>
>
>
>
>
>
>
>
> Am 09.02.2021 um 05:08 schrieb Ali Mohsin <aliofthemohsins at gmail.com>:
>
> Hi, normally when I get infinite loop with ssl, its usually because of
> redirection of http to https. Sometimes front proxy (cloudflare or haproxy)
> is expecting simple http traffic and it gets https traffic and vice versa.
> Also check your wordpress settings and its url. Try changing it.
> And why are you using so much stuff just for wordpress? Simple nginx,
> php-fpm, fcgi cache works for me. And rate limiting works in nginx too. Try
> simplifying the setup so there are less variables to deal with.
>
> On Mon, 8 Feb 2021, 10:16 PM Rainer Duffner, <rainer at ultra-secure.de>
> wrote:
>
>> Hi,
>>
>> I have an interesting problem.
>>
>> I have apache behind Nginx behind haproxy.
>>
>> SSL is terminated with haproxy (because haproxy can load all certificates
>> from a single directory, and because some rate-limiting stuff is easier
>> with haproxy).
>> This makes using Let’s Encrypt easier.
>>
>> Sometimes, I want to do Nginx + fastcgi + php-fpm directly, without
>> apache (it’s measurably faster).
>>
>> For apache, you need this in the configuration:
>>
>> proxy_set_header X-Forwarded-Proto  $http_x_forwarded_proto;
>>
>> (and for good measure, also this:
>> SetEnvIf X-Forwarded-Proto "^https$" HTTPS=on
>> )
>>
>> For fast-cgi, one also needs this in the configuration (fastcgi_params):
>>
>> fastcgi_param  HTTPS              $fwd_ssl;
>>
>>
>> $fwd_ssl is generated by this map:
>>
>>   map $http_x_forwarded_proto $fwd_ssl {
>>         http    off;
>>         https   on;
>>   }
>>
>> in the global http section.
>>
>> In wordpress, when I enable „Really Simple SSL“, I get a redirect loop
>> (to https) on the front-page (as an unauthenticated user) but the backend
>> works.
>>
>> I wonder what wordpress is missing so that it still thinks the connection
>> is coming over http instead of https.
>>
>>
>>
>> Any ideas?
>>
>> Best Regards
>> Rainer
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210209/32f47a3c/attachment.htm>


More information about the nginx mailing list