Multi-Domains, Domain Mapping, CloudFlare & https

Hello WPMUdev,

I try to use your Domain Mapping and Multi-Domains plugin in combination with CloudFlare’s flexible SSL on all (sub)domains. It’s not working on the subdomains of extra domains.

So, I have the following:

https://multi.tld = ok

https://domain2.tld = ok

https://sub.multi.tld = ok

https://sub2.domain2.tld = not redirecting properly

It resolves in the frontend when I do not force https (with a page rule @ CloudFlare), but then https://sub2… redirects to http, even when https is set in the site’s settings and it’s not working for the admin section.

I would guess that when https is not forced the site should be visible via both http and https. So, it’s probably this redirect that causes the loop.

In the Multi-Domains settings, next to domain name, ‘http://’ is prefilled. Is this solely to indicate that the domain should be added without http(s), or also an indication that it only works with http?

Any ideas on how to solve this would be very welcome. TY!

  • Vinod Dalvi
    • WP Unicorn

    Hi @axel,

    I hope you are well today and thank you for your question.

    In the Multi-Domains settings, next to domain name, ‘http://’ is prefilled. Is this solely to indicate that the domain should be added without http(s), or also an indication that it only works with http?

    I think it indicates that the domain should be added without http(s).

    Have you tried forcing https in login and admin pages and also forcing https in front-end pages in the Domain mapping settings as described on the following page?

    https://premium.wpmudev.org/project/domain-mapping/#usage

    Would you mind if I logged in to your site and did some testing? This might help get to the bottom of this faster. If this is ok, just grant me temporary admin access to your site by clicking “Grant Access” button in the WPMU DEV Dashboard Settings as described on the following page and reply on this thread after granting it?

    https://premium.wpmudev.org/manuals/wpmu-dev-dashboard-enabling-staff-login/

    Kind Regards,

    Vinod Dalvi

  • Axel
    • Design Lord, Child of Thor

    update…

    I still don’t manage to use https for subdomains of extra domains and I give up on it for now. I tried to add a rewrite rule in .htaccess, but this only returns the error with less hesitation.

    The closest I get is changing the CloudFlare page rule from *domain2.tld/* to domain2.tld/*, which solves the loop, but subdomains in extra domains are http and it breaks single signon, so the login is not encrypted.

    That’s not good enough, but I ran out of inspiration. Suggestions on how to solve this are still welcome. TY!

  • Jack Kitterhing
    • Code Norris

    Hi there @axel,

    Hope you’re well today and thanks for your question! :slight_smile:

    Could you post your complete .htaccess file here please? Personally I wouldn’t recommend using Flexible SSL, it shows as SSL to your visitors, but there is no SSL between cloudflare and your web server.

    Ideally you should have a wildcard SSL certificate for your web server.

    Thanks!

    Kind Regards

    Jack.

  • Axel
    • Design Lord, Child of Thor

    Thank you for the follow up, Jack.

    You’re right about Flexible SSL, but it’s better than no SSL + imo the entire web should be https and the certificate business is a bit of a rip off, I’m not buying it easily + it looks like rip off days are over by next Summer. Especially since the site is still under dev for another while, I’m thinking to stick with flexible until then. It helps to make sure all works fine over https…

    Either way, here is the htaccess content. Thank you for looking into it!

    #WFIPBLOCKS - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    Order Deny,Allow
    #Do not remove this line. Disable Web Caching in Wordfence to remove this data - WFIPBLOCKS
    #WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
    <IfModule mod_headers.c>
    Header append Vary User-Agent env=!dont-vary
    </IfModule>
    <IfModule mod_mime.c>
    AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
    </IfModule>
    <IfModule mod_mime.c>
    AddType text/html .html_gzip
    AddEncoding gzip .html_gzip
    AddType text/xml .xml_gzip
    AddEncoding gzip .xml_gzip
    </IfModule>
    <IfModule mod_setenvif.c>
    SetEnvIfNoCase Request_URI .html_gzip$ no-gzip
    SetEnvIfNoCase Request_URI .xml_gzip$ no-gzip
    </IfModule>
    <IfModule mod_headers.c>
    Header set Vary "Accept-Encoding, Cookie"
    </IfModule>
    <IfModule mod_rewrite.c>
    #Prevents garbled chars in cached files if there is no default charset.
    AddDefaultCharset utf-8

    #Cache rules:
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTPS} on
    RewriteRule .* - [E=WRDFNC_HTTPS:_https]
    RewriteCond %{HTTP:Accept-Encoding} gzip
    RewriteRule .* - [E=WRDFNC_ENC:_gzip]
    RewriteCond %{REQUEST_METHOD} !=POST
    RewriteCond %{HTTPS} off
    RewriteCond %{QUERY_STRING} ^(?:d+=d+)?$
    RewriteCond %{REQUEST_URI} (?:/|.html)$ [NC]

    RewriteCond %{HTTP_COOKIE} !(comment_author|wp-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher) [NC]

    RewriteCond %{REQUEST_URI} /*([^/]*)/*([^/]*)/*([^/]*)/*([^/]*)/*([^/]*)(.*)$
    RewriteCond "%{DOCUMENT_ROOT}/wp-content/wfcache/%{HTTP_HOST}_%1/%2~%3~%4~%5~%6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" -f
    RewriteRule /*([^/]*)/*([^/]*)/*([^/]*)/*([^/]*)/*([^/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]
    </IfModule>
    #Do not remove this line. Disable Web caching in Wordfence to remove this data - WFCACHECODE

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]

    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*.php)$ $1 [L]
    RewriteRule . index.php [L]

    # END WordPress

    # BEGIN gzip

    <ifModule mod_gzip.c>
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
    </ifModule>

    # END gzip

    # BEGIN deny access

    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>

    # END deny access

    # BEGIN obscure

    ServerSignature Off
    LimitRequestBody 10240000

    # END obscure

  • Jack Kitterhing
    • Code Norris

    Hi there @axel,

    Hope you’re well today, I apologize about the delay on this.

    Unless I’ve misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    Would you mind sending me the following please and I’ll see if I can get this working for you. :slight_smile:

    – In the subject field add “Attn: Jack Kitterhing”

    – Link back to this thread

    – Include admin/network access

    – Include FTP

    – Include any relevant URLS for your site

    On the contact form, select “I have a different question“, this ensures it comes through and gets assigned to me.

    https://premium.wpmudev.org/contact/

    Thank you!

    Kind Regards

    Jack.

  • Axel
    • Design Lord, Child of Thor

    Hi Jack,

    Thank you for your help. No worries about the delay.

    Unless I’ve misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    I can’t read it at all, but I set Wordfence to cache HTTPS pages, and excluded a few from caching, so I would think you read that correctly.

    Would you mind sending me the following…

    I do not mind, but to get access through FTP you would need to pass security and that is meant to be impossible. You however could edit .htaccess in the network admin.

    Would you need FTP for anything else?

  • wp.network
    • The Bug Hunter

    @jack Kitterhing re .htaccess for https

    You read correctly I think… the rules in place are kinda neat (I like how it sets an environment flag), however, I don’t see evidence of the kind of basic rules that I would expect to see…

    @axel you said that

    1) you tried to write some htaccess code to do what you wanted… Can you post what you wrote so we can try to see your thinking?

    2) you are only using flexible SSL… that is def. not cool :slight_smile:

    2a) you can use a self-signed SSL certificate on your server, CloudFlare doesn’t care about validation to activate/use ‘SSL Full’ setting instead of ‘Flexible’ … all CF wants is a functional SSL setup to connect to…

    2b) once you have a self-signed certificate in place, you can proceed to workout your htaccess and WPMS issues so that when (/if) you purchase and install a validated SSL you will likely mot even notice the transition other than you will be able to use the ‘SSL Full (Strict)’ setting at CF!

    I can likely help you with .htaccess for this if you have some Qs :slight_smile:

    Cheers, Max

  • Axel
    • Design Lord, Child of Thor

    Hello Max,

    Thank you for your help.

    1) This was simply to make everything https. Probably the following, from Yoast:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    2) I’m not sure how def that is. In my mind it is awesome. If you were saying it would def. not be cool to give a false impression of security, however, that I would agree with.

    2a) Good to know. I’ll try that.

    2b) That’s the idea.

    It will take a while, but I’ll post again when I’ve tried the self-signed SSL.

    Or if I have Qs earlier :slight_smile:

    Thank you!

  • Axel
    • Design Lord, Child of Thor

    Yay! I finally found/made some time to follow your advice here, Max… at least partially.

    I added a self signed certificate for the 1st domain, which indeed enables to activate full SSL.

    I still have the loop at https://sub2.domain2.tld when I force HTTPS, but only in the front end.

    Wp-admin and the login page have https, even though I do not force it. I guess I need to find out now how to add a certificate for domain2.tld. A post here in the forum pointed towards SNI and my favourite CP supports this…

    [to be continued :slight_smile: ]

  • wp.network
    • The Bug Hunter

    heh, clever stuff we’re trying, eh?

    you might throw brief confirmation comment in at

    https://premium.wpmudev.org/forums/topic/domain-mapping-bug-4033-breaks-https-permalinks-causes-mixed-content#post-837954

    if the desc there matches your experience w/ the subsites created using a multi-domain as base/primary in original subsite address…

    this stuff is all such a mouthful, I’m glad I get to type it most of the time :slight_smile:

    let me know if the above linked post in my *huge* bug report thread conforms to your experience!

    Cheers, Max

  • wp.network
    • The Bug Hunter

    Cheers @axel

    as the thread is mostly about Domain Mapping, I’m just looking for a brief confirmation comment if my ‘Multi-Domains fyi note’ that I linked to above matches your experience :slight_smile:

    …if your experience seems related yet is also a unique/divergent situation and you can replicate then it’d prob be best to open new thread and link back to a small cross-indexing comment in my bug report thread :slight_smile:

    Kind Regards, Max

  • Axel
    • Design Lord, Child of Thor

    It does not look unique to me, so I’ve added it to your report. Glad to know this one may get solved without me digging into it (I would have digged deep to find out what I was doing wrong) :slight_smile:

  • wp.network
    • The Bug Hunter

    Unless I’ve misread the .htaccess, it appears you have your specific https rewrites within the wordfence caching rules?

    RewriteCond %{HTTPS} on
    RewriteRule .* - [E=WRDFNC_HTTPS:_https]

    RewriteRule /*([^/]*)/*([^/]*)/*([^/]*)/*([^/]*)/*([^/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]

    These are actually very similar to what WP Super Cache (and I imagine many other similar plugins too) uses to allow for https use cases… it is just setting an environmental based on HTTPS state and using that flag to redirect to appropriate cache location… this is not forcing https, it is just allowing for either… don’t know why I didn’t grok the situation at first :slight_smile:

  • wp.network
    • The Bug Hunter

    If memory serves, I think that we identified the use of CloudFlare’s ‘Flexible SSL’ setting as the source of redirect loop… hopefully @axel will update us =)

    Basically, if server/WP is forcing to https then CF must use ‘Full SSL’ to avoid the loop

    Also interested if you’re using SSO w/ DM + MD and how thats going at the moment (I’ve got thread going in the DM section, here)

    Cheers, Max

  • Axel
    • Design Lord, Child of Thor

    Sorry, wp.network, I was absent for a while, working on something else and my WPMU was on hold, so didn’t renew subscription… This issue never got solved, but I’m not using multi-domains at the time, and the rest got resolved with full SSL indeed. So, I’ll close this ticket. Thanks!!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.