First off my server is sitting behind a load balancer. My SSL certificate sits on the load balancer and handles HTTPS. The data coming in on port 443 is forwarded to the WordPress server using HTTP on port 80.
However, wordpress and php do not know my server configuration. This causes the browser to get suspicious about the validity of my valid SSL certificate.
To fix this I added the following code to functions.php. I found this code here and the codex agrees.
/**
* Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
*/
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS']='on';
}
This works great for the frontend, but now the /wp-admin/ is inaccessible even with my Admin account. After logging in I receive a message, “Sorry, you are not allowed to access this page.” No other help is provided.
So I searched through the wp-admin folder and discovered that the words “Sorry, you are not allowed to access this page.” appear 17 different times.
Most of these error messages are associated with a user permissions check.
How do I keep HTTPS ‘on’ and retain admin access?
Summary:
- Before adding HTTP_X_FORWARDED_PROTO logic to functions.php I can access wp-admin/
- After adding HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/
- After removing HTTP_X_FORWARDED_PROTO logic to functions.php I cannot access wp-admin/
UPDATE:
I’ve discovered that the error message is coming from wp-admin/menu.php and this chunk of code at the bottom. I added menu.php to the end of the error to figure out that it was this file.
if ( !user_can_access_admin_page() ) {
/**
* Fires when access to an admin page is denied.
*
* @since 2.5.0
*/
do_action( 'admin_page_access_denied' );
wp_die( __( 'Sorry, you are not allowed to access this page. menu.php'), 403 );
}
I still do not understand how to fix this.
Special thanks to user42826.
According to the codex:
If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop. To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header (assuming you have properly configured the reverse proxy to set that header).
The following actions will solve the problem.
Add this to wp-config.php. (codex reference)
/* SSL Settings */
define('FORCE_SSL_ADMIN', true);
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
Remove this from functions.php as it is unnecessary.
/**
* Make PHP HTTPS aware via HTTP_X_FORWARDED_PROTO
*/
if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS']='on';
}
