Multi-Domains, Domain Mapping, CloudFlare & https

Hello WPMUdev,

I try to use your Domain Mapping and Multi-Domains plugin in combination with CloudFlare's flexible SSL on all (sub)domains. It's not working on the subdomains of extra domains.

So, I have the following:

https://multi.tld = ok
- https://domain2.tld = ok
--- https://sub.multi.tld = ok
--- https://sub2.domain2.tld = not redirecting properly

It resolves in the frontend when I do not force https (with a page rule @ CloudFlare), but then https://sub2... redirects to http, even when https is set in the site's settings and it's not working for the admin section.

I would guess that when https is not forced the site should be visible via both http and https. So, it's probably this redirect that causes the loop.

In the Multi-Domains settings, next to domain name, 'http://' is prefilled. Is this solely to indicate that the domain should be added without http(s), or also an indication that it only works with http?

Any ideas on how to solve this would be very welcome. TY!

  • Vinod Dalvi
    • WP Unicorn

    Hi @Axel,

    I hope you are well today and thank you for your question.

    In the Multi-Domains settings, next to domain name, 'http://' is prefilled. Is this solely to indicate that the domain should be added without http(s), or also an indication that it only works with http?

    I think it indicates that the domain should be added without http(s).

    Have you tried forcing https in login and admin pages and also forcing https in front-end pages in the Domain mapping settings as described on the following page?

    https://premium.wpmudev.org/project/domain-mapping/#usage

    Would you mind if I logged in to your site and did some testing? This might help get to the bottom of this faster. If this is ok, just grant me temporary admin access to your site by clicking "Grant Access" button in the WPMU DEV Dashboard Settings as described on the following page and reply on this thread after granting it?

    https://premium.wpmudev.org/manuals/wpmu-dev-dashboard-enabling-staff-login/

    Kind Regards,
    Vinod Dalvi

  • Axel
    • Design Lord, Child of Thor

    update...

    I still don't manage to use https for subdomains of extra domains and I give up on it for now. I tried to add a rewrite rule in .htaccess, but this only returns the error with less hesitation.

    The closest I get is changing the CloudFlare page rule from *domain2.tld/* to domain2.tld/*, which solves the loop, but subdomains in extra domains are http and it breaks single signon, so the login is not encrypted.

    That's not good enough, but I ran out of inspiration. Suggestions on how to solve this are still welcome. TY!

  • Jack Kitterhing
    • Code Norris

    Hi there @Axel,

    Hope you're well today and thanks for your question! :slight_smile:

    Could you post your complete .htaccess file here please? Personally I wouldn't recommend using Flexible SSL, it shows as SSL to your visitors, but there is no SSL between cloudflare and your web server.

    Ideally you should have a wildcard SSL certificate for your web server.

    Thanks!

    Kind Regards
    Jack.

  • Axel
    • Design Lord, Child of Thor

    Thank you for the follow up, Jack.

    You're right about Flexible SSL, but it's better than no SSL + imo the entire web should be https and the certificate business is a bit of a rip off, I'm not buying it easily + it looks like rip off days are over by next Summer. Especially since the site is still under dev for another while, I'm thinking to stick with flexible until then. It helps to make sure all works fine over https...

    Either way, here is the htaccess content. Thank you for looking into it!

    #WFIPBLOCKS - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    Order Deny,Allow
    #Do not remove this line. Disable Web Caching in Wordfence to remove this data - WFIPBLOCKS
    #WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    <IfModule mod_deflate.c>
    	AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
    	<IfModule mod_headers.c>
    		Header append Vary User-Agent env=!dont-vary
    	</IfModule>
    	<IfModule mod_mime.c>
    		AddOutputFilter DEFLATE js css htm html xml
    	</IfModule>
    </IfModule>
    <IfModule mod_mime.c>
    	AddType text/html .html_gzip
    	AddEncoding gzip .html_gzip
    	AddType text/xml .xml_gzip
    	AddEncoding gzip .xml_gzip
    </IfModule>
    <IfModule mod_setenvif.c>
    	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
    	SetEnvIfNoCase Request_URI \.xml_gzip$ no-gzip
    </IfModule>
    <IfModule mod_headers.c>
    	Header set Vary "Accept-Encoding, Cookie"
    </IfModule>
    <IfModule mod_rewrite.c>
    	#Prevents garbled chars in cached files if there is no default charset.
    	AddDefaultCharset utf-8
    
    	#Cache rules:
    	RewriteEngine On
    	RewriteBase /
    	RewriteCond %{HTTPS} on
    	RewriteRule .* - [E=WRDFNC_HTTPS:_https]
    	RewriteCond %{HTTP:Accept-Encoding} gzip
    	RewriteRule .* - [E=WRDFNC_ENC:_gzip]
    	RewriteCond %{REQUEST_METHOD} !=POST
    	RewriteCond %{HTTPS} off
    	RewriteCond %{QUERY_STRING} ^(?:\d+=\d+)?$
    	RewriteCond %{REQUEST_URI} (?:\/|\.html)$ [NC]
    
    	RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher) [NC]
    
    	RewriteCond %{REQUEST_URI} \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$
    	RewriteCond "%{DOCUMENT_ROOT}/wp-content/wfcache/%{HTTP_HOST}_%1/%2~%3~%4~%5~%6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" -f
    	RewriteRule \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]
    </IfModule>
    #Do not remove this line. Disable Web caching in Wordfence to remove this data - WFCACHECODE
    
    # BEGIN WordPress
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ $1 [L]
    RewriteRule . index.php [L]
    
    # END WordPress
    
    # BEGIN gzip
    
    <ifModule mod_gzip.c>
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
    </ifModule>
    
    # END gzip
    
    # BEGIN deny access
    
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>
    
    # END deny access
    
    # BEGIN obscure
    
    ServerSignature Off
    LimitRequestBody 10240000
    
    # END obscure
  • Jack Kitterhing
    • Code Norris

    Hi there @Axel,

    Hope you're well today, I apologize about the delay on this.

    Unless I've misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    Would you mind sending me the following please and I'll see if I can get this working for you. :slight_smile:

    - In the subject field add "Attn: Jack Kitterhing"
    - Link back to this thread
    - Include admin/network access
    - Include FTP
    - Include any relevant URLS for your site

    On the contact form, select "I have a different question", this ensures it comes through and gets assigned to me.

    https://premium.wpmudev.org/contact/

    Thank you!

    Kind Regards
    Jack.

    • wp.network
      • The Bug Hunter

      @Jack Kitterhing re .htaccess for https

      You read correctly I think... the rules in place are kinda neat (I like how it sets an environment flag), however, I don't see evidence of the kind of basic rules that I would expect to see...

      @Axel you said that
      1) you tried to write some htaccess code to do what you wanted... Can you post what you wrote so we can try to see your thinking?
      2) you are only using flexible SSL... that is def. not cool :slight_smile:
      2a) you can use a self-signed SSL certificate on your server, CloudFlare doesn't care about validation to activate/use 'SSL Full' setting instead of 'Flexible' ... all CF wants is a functional SSL setup to connect to...
      2b) once you have a self-signed certificate in place, you can proceed to workout your htaccess and WPMS issues so that when (/if) you purchase and install a validated SSL you will likely mot even notice the transition other than you will be able to use the 'SSL Full (Strict)' setting at CF!

      I can likely help you with .htaccess for this if you have some Qs :slight_smile:

      Cheers, Max

    • wp.network
      • The Bug Hunter

      Unless I've misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

      RewriteCond %{HTTPS} on
      RewriteRule .* - [E=WRDFNC_HTTPS:_https]

      ...
      RewriteRule \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]

      These are actually very similar to what WP Super Cache (and I imagine many other similar plugins too) uses to allow for https use cases... it is just setting an environmental based on HTTPS state and using that flag to redirect to appropriate cache location... this is not forcing https, it is just allowing for either... don't know why I didn't grok the situation at first :slight_smile:

  • Axel
    • Design Lord, Child of Thor

    Hi Jack,

    Thank you for your help. No worries about the delay.

    Unless I've misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    I can't read it at all, but I set Wordfence to cache HTTPS pages, and excluded a few from caching, so I would think you read that correctly.

    Would you mind sending me the following...

    I do not mind, but to get access through FTP you would need to pass security and that is meant to be impossible. You however could edit .htaccess in the network admin.

    Would you need FTP for anything else?

  • wp.network
    • The Bug Hunter

    If memory serves, I think that we identified the use of CloudFlare's 'Flexible SSL' setting as the source of redirect loop... hopefully @Axel will update us =)

    Basically, if server/WP is forcing to https then CF must use 'Full SSL' to avoid the loop

    Also interested if you're using SSO w/ DM + MD and how thats going at the moment (I've got thread going in the DM section, here)

    Cheers, Max

  • Axel
    • Design Lord, Child of Thor

    Sorry, wp.network, I was absent for a while, working on something else and my WPMU was on hold, so didn't renew subscription... This issue never got solved, but I'm not using multi-domains at the time, and the rest got resolved with full SSL indeed. So, I'll close this ticket. Thanks!!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.