Force HTTPS w/ Load Balancer and without (.htaccess rewrite)

.htaccess

I have the following code as a rewrite rule.

RewriteEngine On 
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

This seems to work great with and without a ssl terminated load balancer. My question:

are the 2 rewrite conditions "ORed" and Anded". If I remove RewriteCond %{HTTPS} off I get an infinite redirect when accessing the web server directly. (I need this to work while DNS propagates)

I am just confused by the rule

Best Answer

The rewritecond's should be or:ed as only one of the conditions will normally be true at any one time. This however would need additional syntax in the form of the OR directive: Can reduce the rewriteRule to one rule from multiple RewriteConds for 301 in htaccess?

The first rewritecond checks to see if the protocol used by the connection is not https. If this resolves as true, a redirect to https is sent to the client.

The second rewritecond checks to see if ssl has already been terminated (for example in the load balancer), at which an x-forwarded-proto http header would have been injected with the value of https. If the header value isn't https, a redirect to https is sent to the client.

Removing the first condition whilst connecting directly to the server will result in a redirection loop.

Removing the second condition whilst connecting through the load-balancer(or whichever external node does the termination) will also result in a redirection loop.

I would try(untested as I'm on an iphone):

RewriteEngine On 
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Motivation

I'm one of those guys that likes things perfect. I will ~~spend~~ waste time over-engineering something to be the 'right way'. One of things I didn't like about the default WordPress setup was that a user could type in http://ex.com/wp-settings.php and then all this php jargon would spew all over the place. I eventually was able to turn off errors via PHP but that led to a greater desire to only have things that made since be locatable resources from the server...and that everything else would be 404/3'ified to our custom search page. After that I got this idea that I'd like to completely hide the underlying framework (i.e. WP)... anyways... if you want to hide WP it's possible. But it's really hard.

Steps to your doom

Modify your PHP ini settings appropriately. (i.e. turn display errors off) You might think this is unnecessary because if we're using .htaccess to reroute things, folks won't see errors because they can't access the error causing resources (I'm looking at you wp-settings.php). But errors could occur in displayed pages, so you definitely want them off. Just because WP_* directives are set doesn't necessarily mean that things will work the way you think they will. I found that on my server I had to set the display_errors to false FIRST, because WP_DISPLAY_ERRORS assumed that the default setting was false.

Controlling PHP ini settings may be something as simple as putting a directive in your .htaccess file. Or, in my case, as complicated as creating a CGI handler and then putting a php.ini file there. YMMV depending on your set-up.
Remove all access to files/directories with wp- prefix. The idea is that your WP deployment is about your content, not about WP (unless it's specifically focused on WP). It doesn't make sense for people to want to see what http;//ex.com/wp-cron.php has... unless they're up to no-good. I accomplished this via this:
```
 # If the resource requested is a `wp-*` file or directory, poop to a 403. 
 RewriteCond %{REQUEST_FILENAME} wp-.*$ [NC] 
 RewriteCond %{ENV:REDIRECT_STATUS} ^$ 
 RewriteCond %{REQUEST_FILENAME} -f [NC,OR] 
 RewriteCond %{REQUEST_FILENAME} -d [NC] 
 RewriteRule .* - [F,L] 
```
Learn how to just pass through mordor By removing all access to wp-* you can no longer gain access to the administrative part of WP. That really sucks. In addition to that downer, you've just realized that you don't know what RewriteCond %{ENV:REDIRECT_STATUS} ^$ really does. Well, what I tried to do is to give myself a 'secret' backdoor to the WP admin page. I used this code:
```
 # If the resource requested is 'mordor' (with or without an ending
 # slash) do a URL rewrite to `wp-login.php`. 
 RewriteCond %{REQUEST_URI} mordor/?$ [NC]
 RewriteRule mordor/?$ /wp-login.php [NC,L]
```
So the URL: http://ex.com/mordor should bring us to the login page. The reason why we had the REDIRECT line in the step above is that since this URL gets rewritten to a wp-* URL, we don't want the first rewrite rule to get it. Since it's being redirected internally, REDIRECT_STATUS will be set correctly and it won't push us to 403/4 land.
Remove wp-content Wordpress.stackexchange has a great article on removing wp-content. You have to redefine some WP constants and that pretty much works. You also have to redirect all accesses from wp-content to 'whatever-content`. This probably won't be an issue if this is a clean deployment. If you're modifying a pre-existing deployment you'll have to do some extra stuff.
Rewrite URLs to wp-content optional RewriteRule (.*)(wp-content)(.*) $1whatever-content$3 [NC,R,L]. This goes in your .htaccess file. If your user tries to access some old content via a wp-content URL, it will get redirected here.
Grep and replace all references to wp-content in your DB optional. You still have wp-content in your database. If you want to WP free you need to get rid of that stuff. I exported/mysql dumped my database, did a search and replace on the wp-content string to the new string. You might say... why do I have to do this if apache will rewrite my URLs? The problem is that the source code will contain these references so if you're really interested in obscuring WordPress, you need to do this. Note: At this point I should've just stopped and accepted the reality that this wasn't going to work. But I wanted Mr. T to pity me.
Replace all references to wp-includes and wp-admin in the source. A lot of the WordPress functionality depends on these two directories: wp-includes and wp-admin. This means these directory names are hardcoded in the source code. This means that you would have to create new directories (since PHP uses the underlying OS file system, not apache) to access these and then WRITES THESE OUT into the emitted html. This is just way too much trouble. I quickly gave up and went to the bathroom to take a poop.

Lesson

Sure, I could've just read http://codex.wordpress.org/Hardening_WordPress and followed those steps. But I wanted the perfect site. Now I just want all those hours back. The biggest thing that prevented me from stopping was that I didn't read anywhere on the internet that this was a lot of work and almost impossible to do. Instead I read of people trying to do it with no sense of if they were successful or not. So, to my past self, whom I will send this to via Apple's Time Machine, please don't try and obscure WordPress. It's not worth it.

Best Answer

Related Solutions

Htaccess rewrite and auth conflict

WordPress – How to obscure the WordPress install via htaccess

Motivation

Steps to your doom

Lesson

Related Topic