Multi-Domains, Domain Mapping, CloudFlare & https

Hello WPMUdev,

I try to use your Domain Mapping and Multi-Domains plugin in combination with CloudFlare's flexible SSL on all (sub)domains. It's not working on the subdomains of extra domains.

So, I have the following:

https://multi.tld = ok
- https://domain2.tld = ok
--- https://sub.multi.tld = ok
--- https://sub2.domain2.tld = not redirecting properly

It resolves in the frontend when I do not force https (with a page rule @ CloudFlare), but then https://sub2... redirects to http, even when https is set in the site's settings and it's not working for the admin section.

I would guess that when https is not forced the site should be visible via both http and https. So, it's probably this redirect that causes the loop.

In the Multi-Domains settings, next to domain name, 'http://' is prefilled. Is this solely to indicate that the domain should be added without http(s), or also an indication that it only works with http?

Any ideas on how to solve this would be very welcome. TY!

  • Vinod Dalvi

    Hi @Axel,

    I hope you are well today and thank you for your question.

    In the Multi-Domains settings, next to domain name, 'http://' is prefilled. Is this solely to indicate that the domain should be added without http(s), or also an indication that it only works with http?

    I think it indicates that the domain should be added without http(s).

    Have you tried forcing https in login and admin pages and also forcing https in front-end pages in the Domain mapping settings as described on the following page?

    https://premium.wpmudev.org/project/domain-mapping/#usage

    Would you mind if I logged in to your site and did some testing? This might help get to the bottom of this faster. If this is ok, just grant me temporary admin access to your site by clicking "Grant Access" button in the WPMU DEV Dashboard Settings as described on the following page and reply on this thread after granting it?

    https://premium.wpmudev.org/manuals/wpmu-dev-dashboard-enabling-staff-login/

    Kind Regards,
    Vinod Dalvi

  • Axel

    update...

    I still don't manage to use https for subdomains of extra domains and I give up on it for now. I tried to add a rewrite rule in .htaccess, but this only returns the error with less hesitation.

    The closest I get is changing the CloudFlare page rule from *domain2.tld/* to domain2.tld/*, which solves the loop, but subdomains in extra domains are http and it breaks single signon, so the login is not encrypted.

    That's not good enough, but I ran out of inspiration. Suggestions on how to solve this are still welcome. TY!

  • Jack Kitterhing

    Hi there @Axel,

    Hope you're well today and thanks for your question! :slight_smile:

    Could you post your complete .htaccess file here please? Personally I wouldn't recommend using Flexible SSL, it shows as SSL to your visitors, but there is no SSL between cloudflare and your web server.

    Ideally you should have a wildcard SSL certificate for your web server.

    Thanks!

    Kind Regards
    Jack.

  • Axel

    Thank you for the follow up, Jack.

    You're right about Flexible SSL, but it's better than no SSL + imo the entire web should be https and the certificate business is a bit of a rip off, I'm not buying it easily + it looks like rip off days are over by next Summer. Especially since the site is still under dev for another while, I'm thinking to stick with flexible until then. It helps to make sure all works fine over https...

    Either way, here is the htaccess content. Thank you for looking into it!

    #WFIPBLOCKS - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    Order Deny,Allow
    #Do not remove this line. Disable Web Caching in Wordfence to remove this data - WFIPBLOCKS
    #WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    <IfModule mod_deflate.c>
    	AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
    	<IfModule mod_headers.c>
    		Header append Vary User-Agent env=!dont-vary
    	</IfModule>
    	<IfModule mod_mime.c>
    		AddOutputFilter DEFLATE js css htm html xml
    	</IfModule>
    </IfModule>
    <IfModule mod_mime.c>
    	AddType text/html .html_gzip
    	AddEncoding gzip .html_gzip
    	AddType text/xml .xml_gzip
    	AddEncoding gzip .xml_gzip
    </IfModule>
    <IfModule mod_setenvif.c>
    	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
    	SetEnvIfNoCase Request_URI \.xml_gzip$ no-gzip
    </IfModule>
    <IfModule mod_headers.c>
    	Header set Vary "Accept-Encoding, Cookie"
    </IfModule>
    <IfModule mod_rewrite.c>
    	#Prevents garbled chars in cached files if there is no default charset.
    	AddDefaultCharset utf-8
    
    	#Cache rules:
    	RewriteEngine On
    	RewriteBase /
    	RewriteCond %{HTTPS} on
    	RewriteRule .* - [E=WRDFNC_HTTPS:_https]
    	RewriteCond %{HTTP:Accept-Encoding} gzip
    	RewriteRule .* - [E=WRDFNC_ENC:_gzip]
    	RewriteCond %{REQUEST_METHOD} !=POST
    	RewriteCond %{HTTPS} off
    	RewriteCond %{QUERY_STRING} ^(?:\d+=\d+)?$
    	RewriteCond %{REQUEST_URI} (?:\/|\.html)$ [NC]
    
    	RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher) [NC]
    
    	RewriteCond %{REQUEST_URI} \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$
    	RewriteCond "%{DOCUMENT_ROOT}/wp-content/wfcache/%{HTTP_HOST}_%1/%2~%3~%4~%5~%6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" -f
    	RewriteRule \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]
    </IfModule>
    #Do not remove this line. Disable Web caching in Wordfence to remove this data - WFCACHECODE
    
    # BEGIN WordPress
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ $1 [L]
    RewriteRule . index.php [L]
    
    # END WordPress
    
    # BEGIN gzip
    
    <ifModule mod_gzip.c>
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
    </ifModule>
    
    # END gzip
    
    # BEGIN deny access
    
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>
    
    # END deny access
    
    # BEGIN obscure
    
    ServerSignature Off
    LimitRequestBody 10240000
    
    # END obscure
  • Jack Kitterhing

    Hi there @Axel,

    Hope you're well today, I apologize about the delay on this.

    Unless I've misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    Would you mind sending me the following please and I'll see if I can get this working for you. :slight_smile:

    - In the subject field add "Attn: Jack Kitterhing"
    - Link back to this thread
    - Include admin/network access
    - Include FTP
    - Include any relevant URLS for your site

    On the contact form, select "I have a different question", this ensures it comes through and gets assigned to me.

    https://premium.wpmudev.org/contact/

    Thank you!

    Kind Regards
    Jack.

  • Axel

    Hi Jack,

    Thank you for your help. No worries about the delay.

    Unless I've misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    I can't read it at all, but I set Wordfence to cache HTTPS pages, and excluded a few from caching, so I would think you read that correctly.

    Would you mind sending me the following...

    I do not mind, but to get access through FTP you would need to pass security and that is meant to be impossible. You however could edit .htaccess in the network admin.

    Would you need FTP for anything else?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.