Is it safe to use this code with WordPress to get cloudflare SSL working

I want to ask if this code snippet is safe to use in WordPress. As I am new and their are many experts here. So I would like to ask them about this code.

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' === $_SERVER['HTTP_X_FORWARDED_PROTO'] ) { $_SERVER['HTTPS'] = 'on'; }

This code solves the redirect loop when using cloudflare SSL certificate.

Many forums and threads I have suggested to use similar code but some say that $_SERVER['HTTPS'] = 'on'; using this code is not a good practice. I want someone to guide

Looks to me like a part of the code from wp-config.php which was put by a Really Simple SSL plugin for WordPress.

The “old one”:

//Begin Really Simple SSL Load balancing fix
if ((isset($_ENV["HTTPS"]) && ("on" == $_ENV["HTTPS"]))
|| (isset($_SERVER["HTTP_X_FORWARDED_SSL"]) && (strpos($_SERVER["HTTP_X_FORWARDED_SSL"], "1") !== false))
|| (isset($_SERVER["HTTP_X_FORWARDED_SSL"]) && (strpos($_SERVER["HTTP_X_FORWARDED_SSL"], "on") !== false))
|| (isset($_SERVER["HTTP_CF_VISITOR"]) && (strpos($_SERVER["HTTP_CF_VISITOR"], "https") !== false))
|| (isset($_SERVER["HTTP_CLOUDFRONT_FORWARDED_PROTO"]) && (strpos($_SERVER["HTTP_CLOUDFRONT_FORWARDED_PROTO"], "https") !== false))
|| (isset($_SERVER["HTTP_X_FORWARDED_PROTO"]) && (strpos($_SERVER["HTTP_X_FORWARDED_PROTO"], "https") !== false))
|| (isset($_SERVER["HTTP_X_PROTO"]) && (strpos($_SERVER["HTTP_X_PROTO"], "SSL") !== false))
) {
$_SERVER["HTTPS"] = "on";
}
//END Really Simple SSL

The new one is a slight different as far as I remember the plugin creates.

As long as you are running HTTPS at the origin host / server, no worry.
It could be that there are still (or were) some hard-codded HTTP links, meaning any should be translated and redirected from HTTP to HTTPS (due to mixed content errors, redirect loops, etc.).

Therefore, the WordPress should be installed and run over the HTTPS only.

At Cloudflare, Full (Strict) SSL and we are good:

I see it as a kind of a features like Cloudflare has got, the Automatic HTTPS Redirection and possible way to have Always Use HTTPS options enabled (without Cloudflare).

2 Likes

Everything the OP wrote suggested he is running an insecure setup. Otherwise he wouldn’t need these “workarounds” in the first place.

Yep, nothing more to say :slight_smile:

1 Like

@sandro Thanks a lot for your response, this code is not for the dns setup. Its for cloudflare argo tunnel. When using with cloudflare argo tunnel wordpress wp admin come in redirect loop so i am using the code. But work’s fine when using cloudflare dns setup

@fritex That’s works fine with dns setup but with Argo tunnel setup it can be solved without using the code.

So I guess it’s safe to use this code in WordPress

The code is even recommend by wordpress it self

In that case I retract my earlier statement and you should be secure via the Argo tunnel.

Sorry for jumping to conclusions, but with way more than half of the threads here about such setups, one shouldn’t be surprised.

1 Like

I assume it’s possible if using a Flexible SSL as an option of the SSL/TLS tab at Cloudflare.

To use it where, inside if()?

Furthermore, due to the WordPress Admin and the SSL, I would strongly recommend to run it over HTTPS, and there is actually an action like define('FORCE_SSL_ADMIN', true); for the wp-config.php to define it, if so:

A bit different from WordPress source here (the same URL and title as above one, but under the Using a Reverse Proxy section):

No, it still gives redirect loops

Thanks a lot, I will take that into consideration

Thanks I saw that and I will implement it

Thanks a lot for your reply and help :slightly_smiling_face:

I guess I can avoid using orgin SSL certificate when using cloudflare argo tunnel right? For wordpress

@fritex @sandro should I use port 80 for wordpress or 443 with cloudflare argo tunnel. The argo tunnel doesn’t serve file’s from port 443 with SSL certificate configured (check the above post) and only uses port 80. So should I only port 80 for wordpress,

if I am using port 80, I feel that there will be redirect going on between cloudflare and server and WordPress from http to https. I don’t know properly

If I’m going to point to port 443 of the WordPress site, I will specify “noTLSVerify: true” or " originServerName: your_server_name" to prevent SSL validation errors.

1 Like

Thanks @erictung, could you please tell me the difference between using port 80 or port 443 for wordpress as it hard to understand with argo tunnel.

Also my nginx returns 404 on port 443. Thanks again

Mainly because of security. Nothing special.

Also you might be at risk of getting redirect loops when you are pointing to port 80, but your WordPress site insists to redirect you to port 443 (HTTPS).

Probably your Nginx does not properly configured to serve your website via port 443.

Thats the case with dns setup, but when argo tunnel is setup, it creates encrypted connection and doesn’t vertify TLS at orgin and WordPress redirect based on this

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';

So why need port 443 for wordpress with argo tunnel? @erictung Can you please tell ?

I already mentioned this in my previous reply.

If your web server is capable of serving HTTPS traffic (and already configured to do so), why not just point to port 443 in your Cloudflare Tunnel configuration file? If you configure your web server to only listen at port 80, go ahead, pointing to port 80 shouldn’t be an issue.

2 Likes

Can you tell what should I put, like my domain name. If a domain is pointing to server using argo tunnel. Should put that domain name

Technically, you should put the domain name which matches the Common Name of the SSL certificate served by your website.

2 Likes

I think its partially true because when you have configured your Orgin server properly for port 443 and SSL you don’t need this code with Argo tunnel

I tested it with spinupwp and thanks to @erictung @fritex sandro

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.