WordPress: Insecure content behind reverse proxy/load balancer

When running WordPress behind a load balancer or reverse proxy, you may find that you’re getting lots of insecure content warnings in your browser. This may cause the page to load improperly, as all the content is not being delievered.

Most reverse proxies and load balances will add an additional header to the request, allowing the server to identify the clients’ real IP address. One common name for this header is ‘X-FORWARDED-FOR’. The reverse proxy/load balancer may also add the ‘X-FORWARDED-PROTO’ header. I’ll assume this is the senario moving forward. If you’re not sure what your headers are named, or if they’re present at all, contact your reverse proxy/load balance provider or administrator.

There are several solutions to fix this. A simple plugin can apply the fix – SSL Insecure Content Fixer.

However, if you want to apply the fix yourself, it’s quite simple. After installation, add the following lines to your wp-config.php file:

/** Custom SSL Handlers **/
if (isset($_SERVER[‘HTTP_X_FORWARDED_PROTO’]) && $_SERVER[‘HTTP_X_FORWARDED_PROTO’] == ‘https’)
$_SERVER[‘HTTPS’] = ‘on’;

if (isset($_SERVER[‘HTTP_X_FORWARDED_FOR’])){
$_SERVER[‘REMOTE_ADDR’] = $_SERVER[‘HTTP_X_FORWARDED_FOR’];
}

Save, and that’s it!

Adding X-Forwarded-For header logging on Apache for ISPConfig3

If you’re running your Apache with ISPConfig3 behind a reverse proxy or load balancer, you’ll probably want to log the X-Forwarded-For header, set by your reverse proxy/load balancer. If your setup sets a custom header, no worries, the method is the same.

The LogFormatĀ format for ISPConfig3 with Apache is stored in /etc/apache2/sites-available/ispconfig.conf, the line looks like this:

LogFormat “%v %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined_ispconfig

To add logging for the X-Forwarded-For header, simply add

%{X-Forwarded-For}i

anywhere you’d like the users actual IP to be logged. Here’s what mine looks like:

LogFormat “%v %h %{X-Forwarded-For}i %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined_ispconfig

Windows: Map network drive to a folder

The default behavior of mapping a network drive does exactly what it sounds like it does: it maps a network share to a local drive. Sometimes, you may want to map a network share to a folder, or subfolder, on your local system. This can be done pretty easily.

Open up a command prompt, as Administrator, and type the following:

mklink /d “c:\path\to\local\folder” “\\path\to\network\share”

Replace “c:\path\to\local\folder” with the path on the local drive where you’d like the network share to be mounted, and replace “\\path\to\network\share” with the actual path to the network share.

If you already have the credentials for this network share saved, or it’s a public share, you’re all set. Otherwise, you’ll be prompted for credentials. You can save these the same as you would save them when you map a network drive the normal way.

This can work very well in conjunction with mapping multiple shares on a target machine with different accounts.