Dangerous Things
Custom gadgetry for the discerning hacker

The Store is now open! Check out the gadgetry »
Like what you're reading?
Share It.

Getting HTTPS to work for WordPress when behind a reverse proxy

I recently had an issue with https functionality in WordPress when working behind a reverse proxy like Pound or nginx. I’m running Pound, so the solution for me was to add specific proto headers to the pound.cfg file;

## HTTPS listening ports
AddHeader "X_FORWARDED_PROTO: https"

## HTTP listening ports
AddHeader "X_FORWARDED_PROTO: http"

Then in WordPress, I had to modify the is_ssl function found in /wp-includes/functions.php to properly detect the X_FORWARDED_PROTO header value;

function is_ssl() {
if ( isset($_SERVER['HTTPS']) ) {
if ( 'on' == strtolower($_SERVER['HTTPS']) ) return true;
if ( '1' == $_SERVER['HTTPS'] ) return true;
} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
return true;
} elseif ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && ( 'https' == strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) ) ) {
return true;
} elseif ( isset($_SERVER['X_FORWARDED_PROTO']) && ( 'https' == strtolower($_SERVER['X_FORWARDED_PROTO']) ) ) {
return true;
return false;

The reason I added both HTTP_X_FORWARDED_PROTO and X_FORWARDED_PROTO is that there is no accepted standard for the use of these headers and I’ve seen both used.

Update! I found a much better way to solve the HTTPS problem on the Apache server hosting WordPress. Just edit httpd.conf and include this line;

SetEnvIf X-Forwarded-Proto https HTTPS=on

Tags: , ,

Leave a Reply

Get Adobe Flash player