php - Setting $_SERVER['HTTPS']='on' prevents access to wp-admin

admin管理员组

文章数量:1125298

First off my server is sitting behind a load balancer. My SSL certificate sits on the load balancer and handles HTTPS. The data coming in on port 443 is forwarded to the Wordpress server using HTTP on port 80.

However, wordpress and php do not know my server configuration. This causes the browser to get suspicious about the validity of my valid SSL certificate.

To fix this I added the following code to functions.php. I found this code here and the codex agrees.

/**
 * Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
 */
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS']='on';
}

This works great for the frontend, but now the /wp-admin/ is inaccessible even with my Admin account. After logging in I receive a message, "Sorry, you are not allowed to access this page." No other help is provided.

So I searched through the wp-admin folder and discovered that the words "Sorry, you are not allowed to access this page." appear 17 different times.

Most of these error messages are associated with a user permissions check.

How do I keep HTTPS 'on' and retain admin access?

Summary:

• Before adding HTTP_X_FORWARDED_PROTO logic to functions.php I can access wp-admin/
• After adding HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/
• After removing HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/

UPDATE:

I've discovered that the error message is coming from wp-admin/menu.php and this chunk of code at the bottom. I added menu.php to the end of the error to figure out that it was this file.

if ( !user_can_access_admin_page() ) {

    /**
     * Fires when access to an admin page is denied.
     *
     * @since 2.5.0
     */
    do_action( 'admin_page_access_denied' );

    wp_die( __( 'Sorry, you are not allowed to access this page. menu.php'), 403 );
}

I still do not understand how to fix this.

First off my server is sitting behind a load balancer. My SSL certificate sits on the load balancer and handles HTTPS. The data coming in on port 443 is forwarded to the Wordpress server using HTTP on port 80.

However, wordpress and php do not know my server configuration. This causes the browser to get suspicious about the validity of my valid SSL certificate.

To fix this I added the following code to functions.php. I found this code here and the codex agrees.

/**
 * Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
 */
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS']='on';
}

This works great for the frontend, but now the /wp-admin/ is inaccessible even with my Admin account. After logging in I receive a message, "Sorry, you are not allowed to access this page." No other help is provided.

So I searched through the wp-admin folder and discovered that the words "Sorry, you are not allowed to access this page." appear 17 different times.

Most of these error messages are associated with a user permissions check.

How do I keep HTTPS 'on' and retain admin access?

Summary:

• Before adding HTTP_X_FORWARDED_PROTO logic to functions.php I can access wp-admin/
• After adding HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/
• After removing HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/

UPDATE:

I've discovered that the error message is coming from wp-admin/menu.php and this chunk of code at the bottom. I added menu.php to the end of the error to figure out that it was this file.

if ( !user_can_access_admin_page() ) {

    /**
     * Fires when access to an admin page is denied.
     *
     * @since 2.5.0
     */
    do_action( 'admin_page_access_denied' );

    wp_die( __( 'Sorry, you are not allowed to access this page. menu.php'), 403 );
}

I still do not understand how to fix this.

• php
• wp-admin
• permissions
• ssl
• https

Share Improve this question edited Dec 23, 2016 at 20:46 nu everest asked Dec 23, 2016 at 20:20 nu everestnu everest 63311 gold badge88 silver badges1717 bronze badges 3

• 1 You dont say much about the rest of your configuration. Did you set define('FORCE_SSL_ADMIN', true); – user42826 Commented Dec 23, 2016 at 21:57
• I did not define 'FORCE_SSL_ADMIN'. I will try it. – nu everest Commented Dec 24, 2016 at 1:30
• you need to check that the https cookies are also sent from the load balancer over http. It sounds like they are not sent. Obviously also the other way around need to be checked, are the cookies that you set are being transferred over https – Mark Kaplun Commented Dec 24, 2016 at 3:49

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 28

Special thanks to user42826.

According to the codex:

If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop. To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header (assuming you have properly configured the reverse proxy to set that header).

The following actions will solve the problem.

Before require_once( ABSPATH . 'wp-settings.php' );, add this to wp-config.php. (codex reference)

/* SSL Settings */
define('FORCE_SSL_ADMIN', true);

/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}

Remove this from functions.php as it is unnecessary.

/**
 * Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
 */
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS']='on';
}

本文标签： phpSetting SERVER39HTTPS3939on39 prevents access to wpadmin