WordPress: Insecure content behind reverse proxy/load balancer

When running WordPress behind a load balancer or reverse proxy, you may find that you’re getting lots of insecure content warnings in your browser. This may cause the page to load improperly, as all the content is not being delievered.

Most reverse proxies and load balances will add an additional header to the request, allowing the server to identify the clients’ real IP address. One common name for this header is ‘X-FORWARDED-FOR’. The reverse proxy/load balancer may also add the ‘X-FORWARDED-PROTO’ header. I’ll assume this is the senario moving forward. If you’re not sure what your headers are named, or if they’re present at all, contact your reverse proxy/load balance provider or administrator.

There are several solutions to fix this. A simple plugin can apply the fix – SSL Insecure Content Fixer.

However, if you want to apply the fix yourself, it’s quite simple. After installation, add the following lines to your wp-config.php file:

/** Custom SSL Handlers **/
$_SERVER[‘HTTPS’] = ‘on’;


Save, and that’s it!

Updating npm on Windows

Felix Rieseberg of Microsoft has published a great tool which helps updating npm on windows platforms. The repo can be found hereĀ 
It’s simple to use. Launch an elevated PowerShell, and then:
Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
npm install -g npm-windows-upgrade


That’s it!

As the readme of npm-update-windows suggests, make sure to checkout the Microsoft + Node.js Guidelines, if you haven’t already!

Adding X-Forwarded-For header logging on Apache for ISPConfig3

If you’re running your Apache with ISPConfig3 behind a reverse proxy or load balancer, you’ll probably want to log the X-Forwarded-For header, set by your reverse proxy/load balancer. If your setup sets a custom header, no worries, the method is the same.

The LogFormatĀ format for ISPConfig3 with Apache is stored in /etc/apache2/sites-available/ispconfig.conf, the line looks like this:

LogFormat “%v %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined_ispconfig

To add logging for the X-Forwarded-For header, simply add


anywhere you’d like the users actual IP to be logged. Here’s what mine looks like:

LogFormat “%v %h %{X-Forwarded-For}i %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined_ispconfig