Close

December 7, 2015

WordPress Cloudflare Flexible SSL

Every firewall service company is now touting the ability to have HTTP2 enabled on their site. The problem is to gain any benefit for HTTP, you must have SSL fully enabled on your site. If you have any complicated caching turned on that does not work with SSL directly, then this can be a problem.

Enter Cloudflare’s Flexible SSL. It allows you to present your site as secure to the end user (and SEO), while allowing the benefits of HTTP2 to instantly be enabled. Some argue that it skirts the point of having a true end-to-end encryption tunnel for the end user, but for a blog site full SSL is a bit overkill.

Setting up WordPress for full SSL is fairly straightforward. You simple change the WordPress general settings to use the new SSL based domain.

Since Cloudflare is technically contacting your website (behind the scenes) insecurely, WordPress actually thinks that its using a non-secure connection and tries to serve up the pages as HTTP (even though you set them up in the WordPress Settings..this is really silly). To fix this and force WordPress to always use SSL, add the following at the top of your wp-config file.

define('WP_SITEURL', 'https://www.domain.com');
define('WP_HOME', 'https://www.domain.com');
$_SERVER['HTTPS']='on'; //ubber important.  This is what WordPress keys off of to see if the page is insecure or not

Once you have that setup, your WordPress site should start being served via SSL and automatically using Cloudflare’s HTTP2 implementation.

Update 2/2/2016
While building this out for a blogging customer, we noticed that even though everything is setup to use HTTTP, WordPress doesn’t forcibly redirect you to the secure version on direct access to an article. Basic HTACCESS HTTPS redirects would not work, since the HTTPS is somewhat spoofed via Cloudflare. We did find a proxied htaccess solution that works perfectly. It inspects both the HTTPS varialbe AND the Proxy forward (Cloudflare) to determine if the redirect to HTTPS should be done.

Now the site will redirect immediately to HTTPS if you try to access the plain HTTP version.

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Recent Posts