Fixing ‘This page includes script from unauthenticated sources’ problem with ssl wordpress install on apache+nginx serverApr 10th, 2013 | By admin | Category: Random Musings
This was a headache and a half that ate up 4 hours of my life. So here’s the deal, I have a wordpress install that NEEDS to run completely on ssl(https) and everything was running tickity boo until we did a wordpress update last week. All of a sudden all of the css and js files are being blocked by chrome and we can’t get into the admin area. In the url bar is a little grey shield telling us that ‘This page includes script from unauthenticated sources’ (great grammer google) and what was happening was that because the domain was on https:// and there was a cert for the domain, chrome was blocking all of the scripts and css files in the source code that were being called from http. Like this:
Anyways, how the hell could I fix this? I was doing an apache redirect in my vhost.conf file so the user couldn’t get to http:// if they wanted to. Well it turns the solution was a bit of a two parter.
1.) First of all I needed a wordpress plugin that would go into my source and convert all those pesky http urls into https urls if the user was hitting the site via https:// (which they all would as they didn’t have a choice). At first I tried wordpress-https which ended up being a giant flop. As soon as I set it up and clicked save in it’s setting page it set a cookie that caused the site to hang for me indefinitely. So I scrapped that piece of shit and went to a much simpler and better solution: http://wordpress.org/extend/plugins/ssl-insecure-content-fixer/ . As you can tell by the name this plugin is designed to basically fix my exact problem, the gods were finally smiling upon me. So I installed the plugin and then, as it always is with everything problem, nothing worked. Same problem, urls were all still http:// which takes us to part 2
2.) The problem I later discovered was that the plugin, hell the apache server, had no clue that the user was seeing the site via https:// even though the url bar clearly said https:// . This is because I am running my web traffic through nginx, so apache see’s everything as http and just passes it all off to nginx wherein nginx then see’s the incoming forward from apache on port 443 and serves up the content securely. Apache is just the middleman and to apache it’s all the same shit. The problem is that wordpress and this plugin are only talking to apache so they are never being told that the content is coming at them through ssl. What I need to do here is to create a custom little script found here: https://gist.github.com/webaware/4688802 and stick that in my wp-content/plugins dir and then go into wp-admin and activate it
Once that was in there it all worked beautifully, which is still a shock after all my years of being a sysop. Nothing is supposed to work before you exhaust 10 possible solutions. So hopefully that helps you out. Big huge, massive thanks to the creator of the plugin not only for the plugin but also for this blog post here: http://snippets.webaware.com.au/snippets/wordpress-is_ssl-doesnt-work-behind-some-load-balancers/