[wp-trac] [WordPress Trac] #29708: WordPress 4.0 decides whether the URL is http or httpS based on site environent
WordPress Trac
noreply at wordpress.org
Fri Sep 19 08:29:03 UTC 2014
#29708: WordPress 4.0 decides whether the URL is http or httpS based on site
environent
----------------------------+-----------------------------
Reporter: cooperman | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.0
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
On upgrading an installation of WordPress to version 4.0 from 3.8 we found
the site in the state of an endless redirect.
After about a day and a half of trying to find the cause we saw that what
appeared to be happening was that the site believed, rightly, that it was
in a non-ssl environment but it then chose to act upon it and redirected
traffic to http://site.name (non SSL domain). The setup of our hosting is
that we have:
- https to the load balancer/accelerator on port 443
- http from the load balancer/accelerator to the port 81 on the web
server
We had an htaccess rule in place at that location to go back to
httpS://site.name which then sent traffic back again and so the cycle
continued. When we removed the http:// to https:// rule, the site loaded,
instead of following an infinite loop, but all of the resources
(stylesheets, JavaScript, etc.) were using http:// so didn't load. This
was despite the "siteurl" and "home" fields in the options table being set
to https. We found ourselves having to hack the core code initially, on
functions such as site_url, get_bloginfo(), etc. but it got to a point
where it wasn't a sustainable solution.
It seems as though WordPress now makes that decision of whether to use
http:// or https:// based on the server that it's sat upon instead of
leaving it up to the settings in the site and what's written into the
required fields in the database / settings page as versions 3.9 and
earlier did.
I don't know if this is by design or not but we've had to put some serious
security holes in our setup just to get the site running once again,
following a day and a half of downtime. It's certainly not a feature that
I've seen documented anywhere.
We're not the only users in this position (please see the thread at
https://wordpress.org/support/topic/wordpress-40-in-a-ssl-
loop?replies=6#post-6026064), and while perhaps unusual our hosting setup
is hardly unique.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29708>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list