Admin-Ajax.php, SSL, Non-SSL

I have a WordPress site behind a reverse proxy. The site is over http, except the wp-admin area, which is under https. We don’t have BasicAuth or anything running on top of the admin area.

One of our front-end plugins is failing because it’s making a call to https://admin-ajax.php from a front-end http page, and browsers don’t seem to like that behavior. (If it matters, the URL string contains nonces)

What’s the best way to allow for front-end calls to admin-ajax.php? Should I redirect all calls to that file from https to http? If yes, how can I do that while still requiring all other files under /wp-admin to be under https?

Any suggestions would be much appreciated.

PS: The code below is what we currently have in wp-config:

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';

I would recommend to define this constant in your wp-config.php to force HTTPS on admin:

define('FORCE_SSL_ADMIN', true);

Also, there is a function called is_admin() which could be helpful in your case.

if ( is_admin() ) {
    $_SERVER['HTTPS'] = 'on';
}

However, if you have a rule in your web server forcing all wp-admin and wp-login.php requests to run over SSL, you will need to add an exception for admin-ajax.php file. Not sure how to implement this in Apache, but for NGINX the easiest way would be something like:

if ($request_uri !~* "^/wp-admin/admin-ajax\.php") { rewrite "^/wp-(admin|login)" https://$host$request_uri permanent; }

Hope this helps!