Domain Mapping, SSL and Cloudflare

I have a WordPress multisite installation running on a domain that is hosted on HostGator. Let's call it Me.com.

Me.com is set up to use subdomains. It has a dedicated IP, a wildcard SSL certificate and I'm using Cloudflare.

I have a domain (let's call it Client.com) that is mapped to Client.Me.com. There is a separate SSL certificate installed on Client.com the domain is hosted by GoDaddy.

First, are there specific requirements or best practices when mapping domains and using Cloudflare? So far, the domain mapping is working, but I don't know know if there is an optimum or SSL-friendly way to map domains when using Cloudflare.

Second, what is the correct way to configure Cloudflare for the subsite? Do I add Client.Me.com as a website in Cloudflare, Client.com, both or neither?

Third, what is the correct way to enable SSL encryption for a subsite that will also be using Cloudflare? At a minimum, I want to force HTTPS for all admin pages and any payment page(s). My preference is that the URL for both admin pages and payment pages show https://Client.com/whaever/ as opposed to https://Client.Me.com/whatever/
I think it looks more professional and raises fewer questions in the minds of the client's visitors.

Any guidance on getting this resolved quickly would be greatly appreciated.

  • Michelle Shull

    Hi, NYCWW!

    First off, check out this lengthy explanation from your fellow member, Max, who has a unique and intimate knowledge of the inner workings of Domain Mapping, SSL, and Cloudflare: https://premium.wpmudev.org/forums/topic/how-to-setup-ssl-for-mapped-domains#post-803587

    Next, your WildCard SSL cert will only cover a single domain and the subdomains of that domain. Client.com's SSL cert purchased from GoDaddy should cover Client.com when it's mapped to oneofyoursubsites.me.com. I'm assuming when you say the client.com domain is hosted on GoDaddy, you mean that's where it was registered, yes?

    Advice - go all or nothing with SSL. Protecting your whole network won't hurt a thing, even if it's a wee bit overkill, but it will prevent having to juggle mixed content and all the time-suckage that goes with. Others may (and are free to!) disagree here, but that's what I would do. It's just simpler. By miles.

    Read over Max's post I linked, he does an excellent job of explaining step by step how he set up a very similar configuration to what you describe here, I think that should cover most of your questions here.

    Thanks for your question!

  • NYCWW

    Thanks Michelle! I'll take a look and give it a try.

    Yes, you are correct in your assumption. Client.com was registered at GoDaddy. It would have been more accurate of me to say "parked with" GoDaddy, not "hosted by".

    Just for clarity, when you say "protect the whole network", do you mean force HTTPS for all pages? If so, I only suggested otherwise because I heard secure pages take longer to load. Either way, it's probably not the best place to take a shortcut.

    Thanks again.

  • wp.network

    @NYCWW

    First, are there specific requirements or best practices when mapping domains and using Cloudflare? So far, the domain mapping is working, but I don't know know if there is an optimum or SSL-friendly way to map domains when using Cloudflare.

    1) do you have the CloudFlare plugin active at network primary?
    2) since you have a validated SSL for primary, you can use 'SSL Full (Strict)' setting at CF for primary
    3) since you have a SSL for primary, you can use 'SSL Full' setting at CF for mapped domains
    4) you can use CF's CNAME 'Flattening' to use CNAME for mapped domains instead of A records
    CNAME @ primary.tld
    4a) this is generally a no-no, but CF makes it work :slight_smile:
    5) make sure you get your page rules at CF to bypass caches for WP backend...

    Second, what is the correct way to configure Cloudflare for the subsite? Do I add Client.Me.com as a website in Cloudflare, Client.com, both or neither?

    1) you add the domain-to-be-mapped into CF as normal, set DNS to point to primary via A record or CNAME as mentioned above
    2) for HTTPS using CF SSL certs, you must create a CNAME for the subdomain address at primary DNS, like
    CNAME mappedsubsite primary.tld

    Third, what is the correct way to enable SSL encryption for a subsite that will also be using Cloudflare?

    There are many ways to go... it depends on your needs and preferences.

    Are you using apache web server? If so, then please post your current .htaccess file and I will suggest some edits to try :slight_smile:

    Cheers, Max

  • NYCWW

    Thanks for your help, @WPMS.Network.

    So far I've done all of the above, but I'm still getting SSL warnings:

    From Firefox

    egovacations.com uses an invalid security certificate. The certificate is only valid for the following names: *.nycwebworks.com, nycwebworks.com (Error code: ssl_error_bad_cert_domain)

    Here is the current .htaccess

    # BEGIN s2Member GZIP exclusions
    <IfModule rewrite_module>
    	RewriteEngine On
    	RewriteBase /
    	RewriteCond %{QUERY_STRING} (^|\?|&)s2member_file_download\=.+ [OR]
    	RewriteCond %{QUERY_STRING} (^|\?|&)no-gzip\=1
    	RewriteRule .* - [E=no-gzip:1]
    </IfModule>
    # END s2Member GZIP exclusions
    
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteRule ^dashboard/?$ /wp-admin [NC,L]
    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . index.php [L]
    # END WordPress
    Options All -Indexes
  • wp.network

    @NYCWW

    CF is some awesomesauce and has magically made this work for you :slight_smile:

    As it stands though, you must either use custom page rules at CF or rely on the HTTPS controls of the Domain Mapping plugin to force (or aka, assure) use of HTTPS - I have not tested in depth with latest DM release, in the past I was not comfortable relying on it for security reasons (HTTPS assurance can NOT fail, right?!)... so that means either using your CF page rule slots for this and relying upon CF (though, if you are using CF for SSL for mapped domains you're basically stuck with CF until you get your own SNI setup running) or configuring your server to force the rewrites to HTTPS instead, thus freeing your CF rule slots for better uses (like cache controls).

    To begin with, the .htaccess file that you posted might be reworked as follows:

    Options All -Indexes
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    # BEGIN s2Member GZIP exclusions
    RewriteCond %{QUERY_STRING} (^|\?|&)s2member_file_download\=.+ [OR]
    RewriteCond %{QUERY_STRING} (^|\?|&)no-gzip\=1
    RewriteRule .* - [E=no-gzip:1]
    # END s2Member GZIP exclusions
    
    # BEGIN WordPress
    RewriteRule ^index\.php$ - [L]
    RewriteRule ^dashboard/?$ /wp-admin [NC,L]
    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . index.php [L]
    # END WordPress
    </IfModule>

    Test the above, see if it still works, then, as a starting point, try this:

    Options All -Indexes
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    # BEGIN s2Member GZIP exclusions
    RewriteCond %{QUERY_STRING} (^|\?|&)s2member_file_download\=.+ [OR]
    RewriteCond %{QUERY_STRING} (^|\?|&)no-gzip\=1
    RewriteRule .* - [E=no-gzip:1]
    # END s2Member GZIP exclusions
    
    # BEGIN https controls for network primary URLs
    RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} nycwebworks\.com$ [NC]
    RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
    # END https controls for network primary URLs
    
    # BEGIN WordPress
    RewriteRule ^index\.php$ - [L]
    RewriteRule ^dashboard/?$ /wp-admin [NC,L]
    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . index.php [L]
    # END WordPress
    </IfModule>

    That should force all your primary network traffic to https, yet as Ipstenu says

    Servers are like Snowflakes

    Also, I looked at your site and you've got mixed content issues that can likely be easily resolved, just need to choose the method... Would you be into doing a short skype sometime soon? We can run through a bunch of points really fast that way... max at wpms dot network if you'd like :slight_smile:

    At a minimum, try this:
    navigate to network > sites
    edit primary
    select settings tab, locate fields for SITEURL & HOME
    I believe that your values likely both look like this:
    http://nycwebworks.com
    Try changing both SITEURL & HOME to use:
    https://nycwebworks.com

    Then, use the Interconnect/IT script to oh-so-carefully search and replace in your db, updating:
    http://nycwebworks.com/
    to
    https://nycwebworks.com/

    Make sure to use the Dry Run feature to get an idea of what is going to be changed and gives you a chance to adjust what you are doing before proceeding :slight_smile:

    Hope this rocks your world, at least a little bit :slight_smile:

    Aloha, Max

    ps. the above generally assumes that you don't have anything quirky going on...

    pps. make sure that you're setting the mapped domains to use 'SSL Full' at CF... staying with the default 'Flexible SSL' can cause redirect loops depending on how things are set up for your primary...

  • wp.network

    @NYCWW

    btw, once you test above and verify nothing is broken you can try changing

    # BEGIN https controls for network primary URLs
    RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} nycwebworks\.com$ [NC]
    RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
    # END https controls for network primary URLs

    to

    # BEGIN https controls for network primary URLs
    RewriteCond %{HTTPS} !=on
    #RewriteCond %{HTTP_HOST} nycwebworks\.com$ [NC]
    RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
    # END https controls for network primary URLs

    This makes the rule apply to all domains rather than only network primary, and if everything goes as intended, you will now be rewriting all HTTP requests to use HTTPS :slight_smile:

    Aloha, Max

  • NYCWW

    Thanks Max!

    Everything is working like a charm with one exception. The htaccess change that makes the rule apply to all domains causes redirect issues on mapped domains without their own SSL certificates.

    There's also an related mixed content issue, but that is due to a bug in the theme. I expect a fix from the developer tomorrow.

    Once again, thanks for all your help on this. You rock!

    Owen

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.