+32 472 40 86 79
thijs@feryn.eu
Thijs Feryn
  • Home
  • About me
  • Speaking
  • Books
  • Blog
  • Vlog
  • Home
  • About me
  • Speaking
  • Books
  • Blog
  • Vlog
  • Home
  • Tech
  • Mixed content and ERR_TOO_MANY_REDIRECTS in WordPress

Tech

19 Sep

Mixed content and ERR_TOO_MANY_REDIRECTS in WordPress

Mixed content and ERR_TOO_MANY_REDIRECTS in Wordpress

When your run your WordPress site behind a Varnish cache and terminate the SSL connection, you might end up with mixed content, or an ERR_TOO_MANY_REDIRECTS error in your browser.

Varnish and SSL

In a lot of cases these problems occur when you terminate your SSL connection on another machine. The main reason why you would do that, is because of Varnish.

Varnish is a reverse caching proxy server that speeds up the performance of your website. It is commonly used in conjunction with WordPress.

Unfortunately, Varnish does not support SSL. So we need to terminate the SSL connection elsewhere and speak plain HTTP with Varnish and your WordPress site.

Not only does Varnish not support SSL, it is also unaware of the SSL termination and just uses the hostname and the URL of the request as an identifier.

Mixed content

Mixed contentBecause of the lack of protocol identification in a cached object, there is a high risk of “mixed content”.

Mixed content means that your browser does not load resources (Javascript, CSS, images, web fonts, …) because the request protocol does not match the one that was used to load the page itself.

If you request a page over HTTPS, but some of the resources are loaded over HTTP, your browser will complain.

 

Mixed Content: The page at ‘https://wp.feryn.eu/’ was loaded over HTTPS, but requested an insecure script ‘http://wp.feryn.eu/wp-includes/js/jquery/jquery.js?ver=1.12.4’. This request has been blocked; the content must be served over HTTPS.

Mixed content occurs when the WordPress site URL was set to an HTTP-based URL, or when a page was saved in the Varnish cache in plain HTTP format.

Force HTTPS redirection

To avoid mixed content, you could force HTTPS by redirecting non-HTTP pages to their HTTPS equivalent.

The following rewrite rule does this:

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

ERR_TOO_MANY_REDIRECTS

But by solving the mixed content issue, we trigger another problem: forcing HTTPS redirects on an application that is not aware what the initial request protocol, can cause ERR_TOO_MANY_REDIRECTS errors in your browser.

This happens when the HTTP version of a page is stored in cache. The output is nothing more than a 301 redirect to the HTTPS version. But because Varnish and WordPress are unaware of SSL termination, you’ll end up in a redirection loop until the browser throws this error.

X-Forwarded-Proto

Luckily there’s a way to identify the request protocol that was used on the entry node. The X-Forwarded-Proto request header either contains https or http based on the request protocol that was used before the connection was terminated.

The trick is to make WordPress aware of this, by checking the value of the X-Forwarded-Proto header. There are plugins for that, you could also add a check in your wp-config.php file.

The solution I’ll propose is a bit different.

The solution

The solution to mixed content, and the ERR_TOO_MANY_REDIRECTS error I’m proposing assumes that you use an Apache webserver.

The snippet below can be added to your .htaccess file, and contains all the logic to perform the HTTPS redirect conditionally, and make both Varnish and WordPress aware of SSL:

The first line sets the HTTPS environment variable to “on” when the X-Forwarded-Protorequest header is set to “https”. WordPress uses the value of the HTTPS environment variable to build its URLs either with HTTPS or HTTP.

The second line adds a Vary response header that performs a “cache variation” on the value of the X-Forwarded-Proto header. This is something that Varnish uses to create cache variations of a page. This means that there is an HTTP and an HTTP version in the Varnish cache for every URL.

The rest of the code will force a “301 redirect” when the HTTPS is not set to “on”, and when X-Forwarded-Proto is not set to “HTTPS”.

Read my book

Getting Started with Varnish CacheIf you want to learn more about Varnish, I suggest you read my book. It’s published by O’Reilly.

Order my Varnish book now

In this book I explain:

  • How Varnish works,
  • How you can configure the server
  • How Varnish respects HTTP best practices
  • What VCL is and how you can write your own VCL file
  • How to increase your hit rate
  • How to invalidate your cache
  • What Varnish can mean for your business
Tags:sslvarnishWordPress
  • Share:

Book me for your next event

Get in touch

Follow me on social media

Buy my book

Getting Started with Varnish Cache
More presentations

Categories

  • Combell
  • Football
  • Interviews
  • Review
  • Speaking
  • Tech
  • Travel
  • Trip report
  • Uncategorized
  • Video
  • Vlog

Recent Posts

Logitech MX Vertical mouse
Logitech MX Vertical mouse product review
14Jan,2019
Airtame product review - VLOG 21
Airtame product review
09Oct,2018
PHPBenelux Conference 2018 behind the scenes - VLOG 10
PHPBenelux Conference 2018 behind the scenes – VLOG 10
31Jan,2018

Get in touch

+32 472408679

thijs@feryn.eu

Follow me on social media

  • Twitter
  • Linkedin
  • Instagram
  • Youtube

Navigation

  • Home
  • About me
  • Speaking
  • Speaker bio
  • Books
  • Blog
  • Video
  • Vlog