Domain Mapping + Forced SSL Login with wildcard & .htaccess

Hi there!

I'm running a Multisite network and I'm still setting it up. Unfortunately I have a small problem. I can't seem to do the following: SSL login without an error.

Let's take these two examples, both are connected to the Wordpress.com multisite:

jaco.by
ryan.boren.me (wut?)

Anyway, try adding /wp-admin to the end of those urls.

As you can see, they're both getting redirected to their.wordpress.com - and THEN https:// gets pasted in front of the url, and then /wp-admin/ behind it.

Then, not so important, the WordPress magic happens to determine if you're already logged in or not (and much more!).

But how do I achieve this?

As you can see in the following example, you'll get a cert error:
Go to testmijnpagina.nl
Add /wp-admin behind it
Redirect to WARNING page =.=
Get scared while hell freezes over. <continue or exit>
If you continue: https://testpage.hostmijnpagina.nl/wp-admin/ and everything's okay :slight_smile:

As you can see, I want to remove the warning page. To accomplish this, I need to make sure testmijnpagina.nl first goes to the port 80(80)/http site (testpage.hostmijnpagina.nl) - and then goes to the 443/https site.

I thought this should be easier as the cert should only get called at the last moment. Unfortunately, it doesn't - the cert somehow loads before the user enters the login page. There's not even https:// in the address bar when the warning appears!

I could create a loop in htaccess but that will only block the website from redirecting. So I think this has to be done on a PHP level.

This is what I have at the moment, my pretty .htaccess file (without the security and wpmu settings):

#1
RewriteCond %{HTTP_HOST} ^(www\.)?hostmijnpagina.nl$ [NC]
RewriteRule ^/?register/(.*)$ https://signup.hostmijnpagina.nl/$1 [L,R=301]

#2
RewriteCond %{HTTP_HOST} ^(www\.)?hostmijnpagina.nl$ [NC]
RewriteRule ^/?wp-signup(.*)$ https://signup.hostmijnpagina.nl/wp-signup [L,R=301]

#3
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(dashboard|wiki|registreer|signup|themas|login|www)\. [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

#4
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^hostmijnpagina\.nl [NC]
RewriteRule ^(.*)$ https://hostmijnpagina.nl/$1 [R,L]

#5
RewriteCond %{HTTPS} off
RewriteCond %{THE_REQUEST} ^.?hostmijnpagina.nl/wp-(admin|login|register)$ [NC]
RewriteRule !^/wp-(admin|login|register)(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L]

The first two rule blocks are for registration at subdomain level. The 3rd block is to force https:// on all my domains.
The 4th block is to force https on the main domain.
And the 5th block is the "wp-admin/login/register" https:// force.

It all works, but the 5th block (in conjunction with the 4th maybe??( Gives me an error.
test/testpage.hostmijnpagina.nl goes to http if the 5th block is available, it goes to https:// if the 5th block is removed. I think this is block 4's fault.

I'm kind of puzzled, maybe I've been on this subject for too long.

I do not want to force https on every subdomain. Only on the ones I manage. I do want to force ssl logins and admin management.

Any help would be greatly appreciated :slight_smile: Thanks!

  • Patrick

    Hi there @Sybre

    Welcome to the forums, glad to have you aboard!

    Looks like you're still fiddling with your htaccess. :slight_smile:

    When I access testmijnpagina.nl/wp-admin I get redirected to:

    http://testpage.hostmijnpagina.nl/wp-login.php?redirect_to=http%3A%2F%2Ftestpage.hostmijnpagina.nl%2Fwp-admin%2F&reauth=1

    No https, no warnings, nuthin'.

    However, such htaccess wizardry is not really my area of expertise, so I'll see if one of my colleagues can perhaps jump in here to help out.

  • Sybre Waaijer

    Nope, I went to bed right after I posted this :')
    I think it has something to do with my/your browser caching.
    Therefor I'm using Internet Explorer, Chrome, Chrome incognito, and iOS Safari. Yet have the same results for me :slight_frown:

    As par my browser, you can see it's getting redirected to https - because of the error. But you do see http:// in the URL bar.

    Looking for a solution out of the box, I came across this: http://stackoverflow.com/questions/18932323/redirecting-non-ssl-domain-to-an-ssl-domain-with-a-different-tld

    Does this mean that I need another IP for domain mapping, so the SSL pages won't conflict at a redirection?

    ----
    Hold on, I have the domain pointing to the wrong IP (same server) :') Will report back once resolved xD
    - Nope, this didn't solve it :slight_frown:

  • Sybre Waaijer

    Hi there Ashok!

    Thanks for participating in this discussion :slight_smile:.

    I think this problem is IE11 related only (I'm ruling my Chrome cache out here!). However, this problem doesn't reproduce itself on the official wordpress.com website (jaco.by/wp-admin)

    I've changed my .htaccess this morning (12 hours ago) as well.

    The following changed were made in .htaccess:

    Removed:

    #5
    RewriteCond %{HTTPS} off
    RewriteCond %{THE_REQUEST} ^.?hostmijnpagina.nl/wp-(admin|login|register)$ [NC]
    RewriteRule !^/wp-(admin|login|register)(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L]

    Added:

    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^/?(wp-admin/|wp-login\.php) https://hostmijnpagina.nl%{REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]

    This has been copied directly from http://codex.wordpress.org/Administration_Over_SSL#Rewrite_Rules_For_The_Insecure_Host

    As you can see, the ^,?hostmijnpagina.nl has been changed to https://hostmijnpagina.nl
    So the subdomain name has been removed in this process.

    Also, instead of the L function alone, QSA en R=301 has been added. These functions act as some kind of dark magic.

    For future reference, I'm going to try the following:

    As apache says: http://httpd.apache.org/docs/2.2/rewrite/flags.html
    QSA (query string append) flag causes the query strings to be combined.
    L (last) flag causes that no further rules will be processed if they match.
    R (redirect) flag causes a http redirect to be issued to the browser.

    As I (finally!!) found the page with all the flags, I came across a few flags that might be useful for my situation:
    I'm using an nginx http proxy which servers http content over port 8080 for server optimization.
    All SSL requests still go over port 443 which will be served over Apache.

    This means: The P (proxy) flag might help me. As it will serve the command from/as a new server? I will certainly need to use this flag in the future as I will distribute my content over a CDN.

    This also means that the C (chain) rule might help me. Forcing a redirect first over HTTP, and from there on it chains to my "always use HTTPS over wp-admin/login sessions".

    I'm no apache/.htaccess magician so I'm just going mindless and try whatever I find. Will report back as always for future reference (and for new/other users) :slight_smile:

  • Sybre Waaijer

    I think I know what the problem is. And it's not easily fixed. Whatever I wrote before will not fix it.

    I tried to look up how wordpress.com did it, and it has probably something to do with multiple servers. They also cooperate with a CDN. Having about 650,000 mapped domains - they must know what they're doing.

    For a multisite - this is quite impossible for the level I'm working at and with my knowledge of servers/wordpress.

    I could avoid this problem by avoiding https whenever a query comes from a mapped domain, like you've done at edublogs (I think).

    I'll discuss this with an expert on this area whom will have access to my servers when the time and money is due.

    I would like to thank you all for your support and time :slight_smile:

    <3

  • Sybre Waaijer

    Solved!

    I added the mapped domain to CloudFlare as a new website and turned SSL off (free version requires that to be off).

    This way, CloudFlare solved the issue for me with their genius software, and no more errors are occurring.

    Will upgrade to CloudFlare Enterprise when the time and money is due for more options, like the Railgun you're using!

    Thanks for your support guys! I really appreciate it :slight_smile:

  • wp.network

    Hey @Sybre

    I've been working on basically the same set of issues with the same goal in mind, and have also been trying my best with htaccess wizardry borrowed mostly in ignorance from places like AskApache...

    one of my most successful attempts looked like this

    RewriteCond %{HTTP_HOST} !^(.+?)\.example\.com$ [NC]
    RewriteCond %{HTTP_HOST} example\.com$ [NC]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    Perhaps its not obvious, but I am rather new to crafting htaccess rules. I've got a fresh crop of respect for folks who have mastered htaccess, and am kinda in awe of the possibilities.

    I have also thought that CF could be an decent solution for this issue (though more as a 'quick and dirty' fix than a true solution).

    I am hoping that @Sybre can confirm a) if they are running their primary with CF as well b) if so, are they bypassing CF caching and security for all /wp-admin/* requests or c) successfully running CF Pro on the primary and CF free for the mapped domains?

    Its great to see how many WPMUUDev members are seeking such functionality and to learn of successes. Thanks for sharing about your solution @Sybre :slight_smile:

    Kind Regards,
    Max

    • Sybre Waaijer

      Hi there @TIVISM

      Sorry for my late reply.

      I must say that unfortunately, I have backed away from the WPMUDev's solution of Domain Mapping and went with the original supported by the makers of WordPress.

      Because the original is not working correctly with Pro Sites, I made this little plugin found here, it's a quick fix and maybe not too pretty like WPMUDev's original plugin, but with a little more coding you might get it more beautiful (let's say, a link to the Pro Sites purchase page? Good luck: https://premium.wpmudev.org/forums/topic/restrict-usage-of-a-network-activated-plugin#post-721777

      What the original Domain Mapping plugin from WordPress does it jumps from the mapped domain to the non-mapped domain, like a "click" to an external website, and it does wonders. Look for the example at mijnwordpress.com and hit "inloggen" at the right side.
      As you can see, it jumps without errors.

      As for my .htaccess, this is it (stripped down massively though for security, but the must-haves are in it for this solution):

      #BEGIN Custom HMP
      	#BEGIN Adminbar registration fix
      		RewriteCond %{REQUEST_URI} !/wp-signup\.php [NC]
      		RewriteRule ^/?wp-signup(.*)$ https://hostmijnpagina.nl/wp-signup.php [L,R=302]
      	#END Adminbar registration fix
      
      	#BEGIN all subdomains force SSL
      	RewriteCond %{HTTPS} off
      	RewriteCond %{HTTP_HOST} ^(.*)\.hostmijnpagina\.nl [NC]
      	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
      	#END all subdomains force SSL
      
      	#BEGIN main blog SSL
      	RewriteCond %{HTTPS} off
      	RewriteCond %{HTTP_HOST} ^hostmijnpagina\.nl [NC]
      	RewriteRule ^(.*)$ https://hostmijnpagina.nl/$1 [R=301,L]
      	#END main blog SSL
      # END Custom HMP

      Change hostmijnpagina with your website, and the TLD (.nl) to your website's .com/.co.uk/.etc

      DO NOT use anything special with SSL in your wp-config.php file like define('FORCE_SSL_ADMIN/LOGIN', true);

      As for the Domain Mapping plugin by WordPress, I selected option 1 to 4 in wp-admin/network/settings.php?page=dm_admin_page and left 5 out. This seemed to work perfectly.

      As for CloudFlare, I currently have a Pro subscription with an Optimized partnership (for Railgun) and will opt in for Business once I go live. Security profile is set to High and when needed I go into Development mode (developing/changing themes).
      Full Automatic IPv6 is on for compatibility with IPv6 networks.
      Always Online mode is activated and I will deactivate this and test this because it's causing problems with Webmail.
      RailGun is on and working (need a VPS to install this).
      SSL is set to Full SSL (Strict).

      In the Performance settings, Aggressive caching, Auto Minify, Mirage 2 and Polish will help you with Google indexing and pagerank.

      Each new mapped domain will go directly to the servers IP unless you manually add this to CloudFlare (as a free website). I will discuss this with CloudFlare when I go Enterprise to make this automatic.

      Each subdomain will be added automatically to CloudFlare through a simple plugin. More information can be found here: https://support.cloudflare.com/hc/en-us/articles/200169356-How-do-I-use-WordPress-Multi-Site-WPMU-With-CloudFlare-
      I use the Paid Plugin.

      I do not recommend installing mod_cloudflare as this will cause problems in the future with Railgun.

      I hope this is enough information to get you going! Good luck!

      • wp.network

        @Sybre that was epic!

        Thanks so much for following up!

        I'm holding out for the next release of WPMUDev's Domain Mapping plugin...

        If it doesn't solve most of my issues, then I am thinking to follow your lead.

        ProSites is awesome, and so are a lot of other WPMUDev plugins that build off of the DM foundation.

        Effective Domain Mapping that works with HTTPS is what I need first and most.

        ProSites et al. would be frosting, which I can live without if need be.

        I really appreciate the time you took to write your update :slight_smile:

        Kind Regards & Aloha, Max

        • Sybre Waaijer

          @TIVISM

          Pro Sites can work along with other plugins and so the WPMUDev Domain Mapping plugin isn't mandatory to have with Pro Sites :slight_smile:

          Pro Sites also gives status and levels to users which can be programmed with in other plugins or per my example plugin.

          Each other solution you might find for domain ordering must be out-sourced or programmed by yourself/a colleague/a partner. Myself, I use WHMCS with WPMUDev's WHMCS Integration + WHMCS Provisioning and got myself an eNom reseller account.

          I'm far from perfect integration but it's getting there. The biggest problem is building a theme around it all :stuck_out_tongue:

          Good luck!

  • Sybre Waaijer

    @TIVISM

    Oh, and for your questions, I presume "they" is WordPress.com or edublogs.org

    a) if they are running their primary with CF as well b) if so, are they bypassing CF caching and security for all /wp-admin/* requests or c) successfully running CF Pro on the primary and CF free for the mapped domains?

    For WordPress.com:
    a) Nope, they have their own CDN called wp.com (Can used by you for free with Photon in Jetpack).
    b) They use their own magic with the domain mapping plugin.
    c) WordPress.com uses their own CDN and thus have programmed their websites to take benefit from this.
    If you ping http://jaco.by/ you can see it's a different IP from https://johnjamesjacoby.wordpress.com/ (same website), and even different from en.wordpress.com. I use this website because his URL is easy to remember. I do not know John.

    For edublogs.org:
    a) Yes, they are using CloudFlare with Railgun.
    b) They use the WPMUDev's Domain Mapping plugin, without SSL login. You can test this at http://www.theedublogger.com/ and add wp-admin at the end of the address.
    c) This is explained in my post above, I add each mapped domain manually. Furthermore I cannot comment on this since this is information cannot be publicly accessed and should be commented by a WPMUdev staff member.

    Have a great day!