Fixing ‘This page includes script from unauthenticated sources’ problem with ssl wordpress install on apache+nginx server

Apr 10th, 2013 | By | Category: Random Musings

This was a headache and a half that ate up 4 hours of my life.  So here’s the deal, I have a wordpress install that NEEDS to run completely on ssl(https) and everything was running tickity boo until we did a wordpress update last week.  All of a sudden all of the css and js files are being blocked by chrome and we can’t get into the admin area.  In the url bar is a little grey shield telling us that ‘This page includes script from unauthenticated sources’ (great grammer google) and what was happening was that because the domain was on https:// and there was a cert for the domain, chrome was blocking all of the scripts and css files in the source code that were being called from http.  Like this:

<script type=’text/javascript’ src=’http://domain.com/wp-includes/js/jquery/jquery.js?ver=1.8.3‘></script>

By going into tools–>Javascript console I could see that ALL .js files were being called from http as well as all .css so chrome was just blocking the lot.  IE and Firefox were fine with this but chrome, not so much.. Which makes me question firefox’s security procedures because the way chrome was behaving is clearly the safest way to be.

 

Anyways, how the hell could I fix this?  I was doing an apache redirect in my vhost.conf file so the user couldn’t get to http:// if they wanted to.   Well it turns the solution was a bit of a two parter.

1.) First of all I needed a wordpress plugin that would go into my source and convert all those pesky http urls into https urls if the user was hitting the site via https:// (which they all would as they didn’t have a choice).  At first I tried wordpress-https which ended up being a giant flop.  As soon as I set it up and clicked save in it’s setting page it set a cookie that caused the site to hang for me indefinitely.  So I scrapped that piece of shit and went to a much simpler and better solution: http://wordpress.org/extend/plugins/ssl-insecure-content-fixer/ .  As you can tell by the name this plugin is designed to basically fix my exact problem, the gods were finally smiling upon me.   So I installed the plugin and then, as it always is with everything problem, nothing worked.  Same problem, urls were all still http:// which takes us to part 2

2.) The problem I later discovered was that the plugin, hell the apache server, had no clue that the user was seeing the site via https:// even though the url bar clearly said https:// .  This is because I am running my web traffic through nginx, so apache see’s everything as http and just passes it all off to nginx wherein nginx then see’s the incoming forward from apache on port 443 and serves up the content securely.  Apache is just the middleman and to apache it’s all the same shit.  The problem is that wordpress and this plugin are only talking to apache so they are never being told that the content is coming at them through ssl.  What I need to do here is to create a custom little script found here: https://gist.github.com/webaware/4688802 and stick that in my wp-content/plugins dir and then go into wp-admin and activate it

Once that was in there it all worked beautifully, which is still a shock after all my years of being a sysop.  Nothing is supposed to work before you exhaust 10 possible solutions.    So hopefully that helps you out.  Big huge, massive thanks to the creator of the plugin not only for the plugin but also for this blog post here:  http://snippets.webaware.com.au/snippets/wordpress-is_ssl-doesnt-work-behind-some-load-balancers/

13 Comments to “Fixing ‘This page includes script from unauthenticated sources’ problem with ssl wordpress install on apache+nginx server”

  1. Aarrach says:

    Dude seriously thank you so mutch, saved my day bro 🙂

  2. Kay says:

    Hi,

    I did everything you talked about in your post, but our site is still having issues. Any other ideas?

  3. Awais says:

    Thanks. It really helps.

  4. Elaine says:

    Hi,

    I am facing exactly the same problem here.
    I tried to apply the fixes but I couldn’t even login to the admin site.

    How did you do that?

    Thanks,
    Elaine

  5. kashyap says:

    This works perfectly.
    I have changed all the http links to https and it removed the error.
    Thank You

  6. Mustafa says:

    This saved my time…………..thank’s for your contribution 🙂

  7. Dylan Barr says:

    Nice 😀 thanks this has saved a lot of my time 😀

  8. Mbabi says:

    Hi

    I am still experiencing the same problem even after using this rescue method.

    Option B please …

    Thanks

  9. Abe says:

    I had been struggling with this for hours!
    Thank you so much for this fix…

  10. Ian says:

    Nice one. Works perfectly. You are a star.

  11. nemo says:

    i cant find wp-content dir n wat to paste

  12. Robin Alfredsson says:

    THANK YOU!

  13. Jason Karmokar says:

    Thanks a lot.
    This saved my money and time.

Leave a Comment