1

I am setting up a WordPress site for myself to play with. I am trying to use Nginx to be the SSL Reverse Proxy, as for other Webtools I run. I have three Linux containers:

  • 10.0.0.51:443: Nginx SSL Proxy for five web tools + one WordPress site
  • 10.0.0.52: Web tools container, tools run on various ports using HTTP
  • 10.0.0.164:8080: Apache for WordPress

I am using Let's Encrypt to provide SSL certs and this works fine. My Webtools work without issues and they each have their own subdomain. The WordPress site is supposed to live at www.example.org. When I go to this URL, I get redirected to https://www.example.org:8080 which obviously gives me a timeout. On the other hand, the WordPress site does load correctly when I visit http://10.0.0.164:8080. It sounds like Apache is rewriting the URL to include :8080?

My Nginx site config is as follows:

server {
        server_name www.example.org;

        location / {
            proxy_pass http://10.0.0.164:8080;
            include /etc/nginx/proxy_params;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.example.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.example.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.example.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        server_name www.example.org;

    listen 80;
    return 404; # managed by Certbot
}

Nginx proxy_params:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;

And Apache VirtualHost config. The rest is at its defaults:

<VirtualHost *:8080>
    ServerName domain.org
    ServerAlias www.example.org
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/example.org
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# Allow .htaccess overwrites
<Directory /var/www/example.org/>
    AllowOverride All
</Directory>
Improve this question

1 Answer 1

Reset to default
5

This issue ultimately stems from fact that WordPress is not designed to live behind Reverse Proxy of any kind.

These are the proxy_set_header settings used to make this work in Nginx:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;

As these are different from normal proxy_pass headers used for other web tools I run, I made a separate file called wp_proxy_params.conf and included that in the WordPress site SSL server block in Nginx.

Next, we must change what WordPress expects our URL to be. Log into WP-Admin and go to Settings > General. Enter your full URL under WordPress Address and Site Address. In this example that would be https://www.example.org. Once the settings are applied the site will become inaccessible.

Finally, we edit the wp-config.php in our site root to add following code:

/**If we got HTTPS from Nginx, we must reply the same way */
if ( $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )
{
        $_SERVER['HTTPS']       = 'on';
    $_SERVER['SERVER_PORT'] = '443';
        define('FORCE_SSL_ADMIN', true);
}

/**When replying make sure the reply HOST is set to Nginx Rerverse Proxy address, not us */
if ( isset($_SERVER['HTTP_X_FORWARDED_HOST']) )
{
        $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}

This section must be added immediately after opening <?php statement. If added below existing wp-config.php content, it will prevent access to WP-Admin.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

all of my nginx conf were correct, but I didn't set WP-Admin site url. thanks
Is it posible to have this great answer with subpath? My web server is nginx and I want to proxypass it on /blog subdirectory.
I ultimately abandoned using a reverse proxy as my ISP provides me with two IPs. My wordpress now has its own frontend IP on my router.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.