Force HTTPS (SSL) on mainsite, and HTTP on subsites

Hi,

I think the titles says it all. How can I force https on the mainsite, and force http on the subsites? I have a single ssl certificate, and will only use it on the mainsite, as I use Stripe payments for Pro Sites.

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hey there, Mathias!

    I've got a super simple solution, and an awesome blog post to share with you.

    First, the post is here. It explains a lot of background information in really easy to understand terms.

    And the plug in you need is this one: WordPress HTTPS. It's old, so there's a warning banner on the plugin page, but what it's doing is relatively simple, and wouldn't change with new versions of WordPress.

    The last few paragraphs explain a particularly fun way of handling this, if you're hip to DIY and don't mind playing with your database. This is a decent alternative to using a plugin like the one above.

    Hope this helps!

    • Mathias
      • The Bug Hunter

      Hi Michelle,

      Thanks for your reply, but I have a problem on my site bloggerspoint.dk - where I link to blog posts on the page, and Google Chrome want to load these links with https, but it should link to http, as the subsites is not secured with https.

  • Jude
    • DEV MAN

    Hey Mathias

    Looks like you've got the setup slightly misconfigured. I can see SSL only for http://www.bloggerspoint.dk which is already a subdomain because of the www and the main site simply redirects to the www version which is bad practice. The opposite can be done ( i.e www redirect to non www )

    You can use the technique described here except swap https with http for the subdomains.

    http://stackoverflow.com/questions/20894947/force-https-and-www-for-domain-and-only-https-for-subdomains-htacess

    Hope that helps
    Jude

    • Mathias
      • The Bug Hunter

      I have this in my WP-config.

      define('WP_DEBUG', false);
      
      define('MULTISITE', true);
      define('SUBDOMAIN_INSTALL', true);
      define('DOMAIN_CURRENT_SITE', 'www.bloggerspoint.dk');
      define('PATH_CURRENT_SITE', '/');
      define('SITE_ID_CURRENT_SITE', 1);
      define('BLOG_ID_CURRENT_SITE', 1);
      
      define('SUNRISE', 'on');
      
      /** Define WordPress.com API Key */
      define('WPCOM_API_KEY','02e99f446da5');
      
      define('FS_METHOD', 'direct');
      
      define('WP_MEMORY_LIMIT', '128MB');
      
      define('PSTS_DISABLE_UPGRADE', true);
      define( 'NOBLOGREDIRECT', 'http://www.bloggerspoint.dk' );

      If i remove www from the URL, then the site still redirects to www, because of the NOBLOGREDIRECT. If i remove the NOBLOGREDIRECT, then i get the wp-signup.php redirect loop.

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hi, Matthias!

    Is there any chance you have an A or CNAME record on your domain registrar pointing to the WWW of your site? This wouldn't be anywhere in your WordPress settings, it would be on the control panel of either your domain registrar or your host. It would explain why you're getting the redirect loop that required you to add NOBLOGREDIRECT to begin with.

    Thanks!

  • Michael Bissett
    • Recruit

    Hey @Mathias, my apologies for the delay here!

    Going over things here, it sounds like when you first installed WordPress, you had the Site URL set to:

    http://www.bloggerspoint.dk

    The reason why you're not seeing the www. prefix in your .se site would be due to the Site URL that's set for that install (in that there wasn't a www. prefix set for that particular site when you set it up).

    In the case of your .dk site though, we'll want to dig deeper into things here, there's a couple of entries (both in your wp-config.php, and in your site's database) we'll need to adjust. Could you please send in the following via our secure contact form:

    - Mark to my attention, the subject line should contain only: ATTN: Michael Bissett
    - Do not include anything else in the subject line, doing so may delay our response due to how email filtering works.
    - Link back to this thread
    - Include WordPress network admin access details (login address, username & password)
    - Include FTP log-in details (hostname, username & password)
    - Include cPanel access details (login address, username & password)
    - Include any relevant URLs for your site

    On the contact form (linked to below), please select "I have a different question", this ensures it comes through and gets assigned to me.

    https://premium.wpmudev.org/contact/

    Thanks a bunch! :slight_smile:

    Kind Regards,
    Michael

  • Michael Bissett
    • Recruit

    Hey @Mathias, thanks for your patience here! :slight_smile:

    I just took care of editing the database for you, had to install phpMyAdmin on your hosting temporarily, and am seeing that bloggerspoint.dk is now working for me when I try visiting it without the www. prefix.

    Could you confirm the same on your end please? :slight_smile:

    Kind Regards,
    Michael

    • Mathias
      • The Bug Hunter

      Thanks a lot Michael, it works perfect!!

      Now i just have the original topic problem. The site should not use https, only on the Stripe checkout page, or only use at the main site, as we can't afford a wildcard SSL certificate. Right now the user can visit the mainsite with https, and if the user then clicks on a subsite blog link on the homepage, it will link to it as https and says that the site is not safe.

  • Michael Bissett
    • Recruit

    Hey @Mathias,

    Glad to hear that the database changes worked! :slight_smile:

    In regards to the problem you mentioned, regarding the post URLs, I'll want to call my colleague @Jude back to the thread here, I was working on a way to force https only on your Pro Site checkout page, while keeping the other URLs forced to http, but I've only managed to accomplish the former.

    Kind Regards,
    Michael

    • Mathias
      • The Bug Hunter

      I tried, but now when the user visits https it just mess up the site, and a lot of images and styling is missing. Is it not possible to make every page load as http, except for one single page that should load on https, with a code in htaccess?

  • Michael Bissett
    • Recruit

    Hey @Mathias,

    After doing some further investigation into this, finally got the nut cracked, big thanks to this StackOverflow response:

    http://stackoverflow.com/a/11142121

    The resulting .htaccess code that I inserted into the top of your site's .htaccess would be this:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} ^/opret-blog
    RewriteRule ^opret-blog https://bloggerspoint.dk%{REQUEST_URI} [R,L]
    
    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opret-blog
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]

    This line in particular is important:

    RewriteCond %{REQUEST_URI} !^/index.php$

    As without that, we'd end up being redirected back to the site's home page when trying to access your Pro Site page.

    Could you confirm that it's working properly on your end as well please? :slight_smile:

    Kind Regards,
    Michael

  • Michael Bissett
    • Recruit

    Hey @Mathias,

    In that case, we'll actually need this code instead (which I've inserted for you):

    RewriteEngine On
    
    RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
    
    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opgrader
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]

    Could you confirm that it's working as it should on your end please? :slight_smile:

    Kind Regards,
    Michael

    • Mathias
      • The Bug Hunter

      It works! But there seems to be some issues with the settings of the theme. Some of the colors, fonts, and image sizes does not match with the other pages as it did before.

      You can login with this, to see it:
      Username: test8
      Password: qazqaz

    • Mathias
      • The Bug Hunter

      It is when a user visits the upgrade page. If you login on test8.bloggerspoint.dk with the above info, and select "Opgrader til PRO" in the admin menu, you will get to the upgrade page. Notice that the fonts, logo size, and colors does not match the other pages on the mainsite, as it did before. If I remove the code from .htaccess, then it will look normal again, and match the fonts, colors and logo size of the other pages.

  • Michael Bissett
    • Recruit

    Hey @Mathias,

    Gothca, thanks for elaborating on that, it really helps out here. :slight_smile:

    I was able to resolve that this with .htaccess code:

    RewriteEngine On
    
    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opgrader
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteCond %{REQUEST_URI} !.*\.(gif|jpe?g|png|css|js|ttf|svg|woff|woff2)$
    RewriteCond %{REQUEST_URI} !.*/css/selection\.php$
    RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]

    How does it look on your end now? :slight_smile:

    Please advise,
    Michael

  • Mathias
    • The Bug Hunter

    I am very sorry to reopen this thread. The above code, still works perfect. But is it possible på force the admin dashboard of the subsites to HTTP? Right now, when they go directly from the upgrade page, to their dashboard, is links to HTTPS instead of HTTP, and then the browser says the website is not safe.
    Is it possible to fix it?

    • Mathias
      • The Bug Hunter

      Seems like the .htaccess does not work anymore.. It is like i won't read it. The Wordpress part works fine, but the rest doesn't. I haven't changed anything, it just stopped working...

      Current .htaccess:

      RewriteEngine On
      RewriteBase /
      RewriteRule ^index\.php$ - [L]
      
      # add a trailing slash to /wp-admin
      RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
      
      RewriteCond %{REQUEST_FILENAME} -f [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^ - [L]
      RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
      RewriteRule ^(.*\.php)$ $1 [L]
      RewriteRule . index.php [L]
      
      php_value upload_max_filesize 64M
      php_value post_max_size 64M
      php_value max_execution_time 300
      php_value max_input_time 300
      
      <IfModule mod_deflate.c>
        # Compress HTML, CSS, JavaScript, Text, XML and fonts
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
        AddOutputFilterByType DEFLATE application/x-font
        AddOutputFilterByType DEFLATE application/x-font-opentype
        AddOutputFilterByType DEFLATE application/x-font-otf
        AddOutputFilterByType DEFLATE application/x-font-truetype
        AddOutputFilterByType DEFLATE application/x-font-ttf
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE application/xhtml+xml
        AddOutputFilterByType DEFLATE application/xml
        AddOutputFilterByType DEFLATE font/opentype
        AddOutputFilterByType DEFLATE font/otf
        AddOutputFilterByType DEFLATE font/ttf
        AddOutputFilterByType DEFLATE image/svg+xml
        AddOutputFilterByType DEFLATE image/x-icon
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/javascript
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/xml
      
        # Remove browser bugs (only needed for really old browsers)
        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
        Header append Vary User-Agent
      </IfModule>
      
      ## EXPIRES CACHING ##
      <IfModule mod_expires.c>
      ExpiresActive On
      ExpiresByType image/jpg "access plus 1 year"
      ExpiresByType image/jpeg "access plus 1 year"
      ExpiresByType image/gif "access plus 1 year"
      ExpiresByType image/png "access plus 1 year"
      ExpiresByType text/css "access plus 1 month"
      ExpiresByType application/pdf "access plus 1 month"
      ExpiresByType text/x-javascript "access plus 1 month"
      ExpiresByType application/x-shockwave-flash "access plus 1 month"
      ExpiresByType image/x-icon "access plus 1 year"
      ExpiresDefault "access plus 2 days"
      </IfModule>
      ## EXPIRES CACHING ##
      
      RewriteEngine On
      
      RewriteCond %{HTTPS} on
      RewriteCond %{REQUEST_URI} !^/opgrader
      RewriteCond %{REQUEST_URI} !^/index.php$
      RewriteCond %{REQUEST_URI} !.*\.(gif|jpe?g|png|css|js|ttf|svg|woff|woff2)$
      RewriteCond %{REQUEST_URI} !.*/css/selection\.php$
      RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]
  • Michael Bissett
    • Recruit

    Hey @Mathias,

    In regards to those .htaccess rules not working, they needed to be moved back up to the top, like this:

    RewriteEngine On
    
    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opgrader
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteCond %{REQUEST_URI} !.*\.(gif|jpe?g|png|css|js|ttf|svg|woff|woff2)$
    RewriteCond %{REQUEST_URI} !.*/css/selection\.php$
    RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ $1 [L]
    RewriteRule . index.php [L]

    After doing that, I'm seeing that they're working again. :slight_smile:

    As for the links to the user's dashboard being https:// formatted, that'd be something that'd require something other than .htaccess (since the error would show up before the .htaccess code could even run).

    I've tried looking into this myself, but this looks like something I'll need to call my colleague @Jude in for, to see what he can come up with. :slight_smile:

    Kind Regards,
    Michael

  • Michael Bissett
    • Recruit

    Hey @Mathias,

    I'm not seeing that there's a caching plugin installed presently, though we'd want to take that to a different thread, and wrap up the https concerns here in this thread.

    I've called my colleague Jude to this thread already regarding the links to the subsite dashboard being https, if you could open a new thread for the caching/compression related question, that'd be great. :slight_smile:

    Kind Regards,
    Michael

  • Michael Bissett
    • Recruit

    Hey @Mathias, my apologies for the delay here!

    After talking about this with my colleague @Hoang Ngo, he cooked up this solution for us here:

    add_action( 'wp_footer', 'redirect_without_ssl' );
    function redirect_without_ssl() {
    	?>
    	<script type="text/javascript">
    		jQuery(document).ready(function ($) {
    			var main_site = 'bloggerspoint.dk';
    			$('a').each(function () {
    				var domain = extractDomain($(this).attr('href'));
    				//check of this is subdomain
    				if (domain && domain != main_site && domain.indexOf(main_site)) {
    					$(this).attr('href', $(this).attr('href').replace('https://', 'http://'));
    				}
    			});
    
    			function extractDomain(url) {
    				if(url == undefined){
    					return false;
    				}
    				var domain;
    				//find & remove protocol (http, ftp, etc.) and get domain
    				if (url.indexOf("://") > -1) {
    					domain = url.split('/')[2];
    				}
    				else {
    					domain = url.split('/')[0];
    				}
    
    				//find & remove port number
    				domain = domain.split(':')[0];
    
    				return domain;
    			}
    		})
    	</script>
    	<?php
    }

    Could you confirm that this is all working properly for you now? :slight_smile:

    Please advise,
    Michael

  • Mathias
    • The Bug Hunter

    Hi @Michael

    I was able to getting everything worked out for a while, but after a theme change, the problem on the upgrade page is back. It is forcing the HTTPS like before, but it is not loading the content over HTTPS, so it look messed up.

  • Michael Bissett
    • Recruit

    Hey @Mathias,

    I was working on implementing a fix in your site, but I got kicked out unexpectedly, and was not able to log in with the SFTP details you had sent in to my colleague Sajid. That said, if you could modify this inside your .htaccess:

    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opgrader
    RewriteCond %{REQUEST_URI} !^/wp-admin/admin-ajax\.php
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteCond %{REQUEST_URI} !.*\.(gif|jpe?g|png|css|js|ttf|svg|woff|woff2)$
    RewriteCond %{REQUEST_URI} !.*/css/selection\.php$
    RewriteCond %{REQUEST_URI} !.*/wp-content/uploads/2015/11/logo_fullscreen32\.png$
    RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]

    And insert a new line, so that it looks like this:

    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opgrader
    RewriteCond %{REQUEST_URI} !^/wp-admin/admin-ajax\.php
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteCond %{REQUEST_URI} !.*/bloggerspoint/(css|js)/.*$
    RewriteCond %{REQUEST_URI} !.*\.(gif|jpe?g|png|css|js|ttf|svg|woff|woff2)$
    RewriteCond %{REQUEST_URI} !.*/css/selection\.php$
    RewriteCond %{REQUEST_URI} !.*/wp-content/uploads/2015/11/logo_fullscreen32\.png$
    RewriteRule ^(.*) http://bloggerspoint.dk%{REQUEST_URI} [L]

    That should work to resolve this issue. There's several .php files in your theme that are being loaded over http://, due to the earlier rewrite rules.

    Let me know if this helps please! :slight_smile:

    Kind Regards,
    Michael

    • Mathias
      • The Bug Hunter

      Hi Michael!

      The reason why you got kicked is because i just have changed the passcode to the SFTP. The new code is: (removed by moderator) - please comment when you have seen this so i can remove it from here.

      The above code seems to have done some improvement to the page, so that it doesn't look totally messed up, but I think there still is some minor issues.

      Do you still have the test login, so that you can test everything?

  • Jude
    • DEV MAN

    Hey Vyse

    It'd be this version

    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/opgrader
    RewriteCond %{REQUEST_URI} !^/wp-admin/admin-ajax\.php
    RewriteCond %{REQUEST_URI} !^/index.php$
    RewriteCond %{REQUEST_URI} !.*/bloggerspoint/(css|js)/.*$
    RewriteCond %{REQUEST_URI} !.*\.(gif|jpe?g|png|css|js|ttf|svg|woff|woff2)$
    RewriteCond %{REQUEST_URI} !.*/css/selection\.php$
    RewriteCond %{REQUEST_URI} !.*/wp-content/uploads/2015/11/logo_fullscreen32\.png$
    RewriteRule ^(.*) http://example.com%{REQUEST_URI} [L]

    Also use this plugin for anything that gets missed.

    https://wordpress.org/plugins/ssl-insecure-content-fixer/

    Make sure you put your domain instead of example.com and open a new ticket in case you need further help

    https://premium.wpmudev.org/forums/#question

    Cheers
    Jude

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.