Hi,
Regarding NinjaFirewall, there isn’t any difference between HTTP and HTTPS because incoming traffic is decrypted by your HTTP server before being forwarded to PHP and NF.
You may have an issue/conflict somewhere.
You can export your configuration and send it to me at: contact-at-nintechnet-dot-com if you want.
Do not use the firewall built-in export function, but the following script instead because, unlike the export option, it will anonymize your data:
http://nintechnet.com/share/wp-export.txt
1. Rename this file to “wp-export.php”.
2. Upload it into your WordPress root folder.
3. Goto http://YOUR WEBSITE/wp-export.php
4. Delete it afterwards.
It would help to know your server settings too:
1. Your HTTP server + its version.
2. You PHP SAPI (CGI, FPM etc) and its version.
Also, did you try to disable Cloudflare and to use only NinjaFirewall + HTTPS?
Thanks for the prompt response.
I have just emailed the wp-export file to you.
HTTP Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
PHP: 5.4.38
SERVER API: CGI/FastCGI
Re disabling Cloudflare – no, not yet. Did you mean “Pause it – will temporarily deactivate CloudFlare for your domain” or reset the DNS Records back to the original settings?
Kind regards
Ben
I received it, and will check it this weekend.
Regarding Cloudflare, I think the “Pause it” option is the right one.
You can also try to disable HTTPS filtering from “NinjaFirewall > Firewall Policies > Enable NinjaFirewall for” and select “HTTP traffic only”, just to see if that makes a difference or not.
Did you check in the firewall log if there was anything wrong (e.g., Pingdom or other bot could be blocked although it would be unusual)?
Setting the HTTPS filtering to off made no discernible difference at all.
Cloudflare – I paused it, but I am not sure how long it takes for the impact of that change to come into effect. In any event, that should make things slower, given that the caching and global content distribution is supposed to be the big benefit of Cloudflare….
Log files – nothing stands out there…
I tried NinjaFirewall using your configuration, but did not see any differences between HTTP and HTTPS with both Nginx and Apache.
As I mentioned in a previous message, the HTTPS en/decryption is handled by the HTTP server, hence it should not affect PHP or NinjaFirewall.
If there isn’t any problem with Cloudflare, you may try to temporarily disable each plugin one by one to see whether there is a conflict with them. Maybe it could come from a plugin dealing with caching, or any kind of website optimization?
I have W3 Total Cache running, and there is a setting as follows:
Cache SSL (https) requests: Cache SSL requests (uniquely) for improved performance
*DISABLING that actually improved performance by 2 seconds!!! 🙂
Unfortunately, that made no difference to the 3 second lag that Ninja WAF is adding since implementing HTTPS.
The http://www.theseoguy.co.nz site is in NZ, testing as follows;
Gtmetrix.com – Sydney – 5.4 seconds with WAF, 1.8 seconds if disabled
Pingdom.com – Melbourne – 3.4 seconds with WAF, 991ms seconds if disabled
I’ve little previous experience of adding SSL on a WordPress site but the test at http://www.ssllabs.com/ssltest/ gives the site an “A” rating…
It is odd if that did not make any difference after disabling HTTPS traffic filtering. Is the connection to your server fully encrypted, i.e., from the user to your server, or partially only, i.e., encrypted from the user to Cloudflare and in clear text from Cloudflare to your server? You can see that if you connect to your site over HTTPS and then go to “NinjaFirewall > Firewall Policies > HTTP response headers” (it does not matter if NF is disabled or not): if the “Strict-Transport-Security (HSTS)” is disabled and shows a “HSTS headers can only be set when you are accessing your site over HTTPS” message, it is a partial HTTPS encryption only.
Could you try to disable the 3 “HTTP response headers” options that you enabled: X-Content-Type-Options, X-Frame-Options and X-XSS-Protection. Does it make a difference?
Three seconds is huge. Do you feel that difference when you connect to your site with the firewall on, or it is only reported by Pingdom/Gtmetrix ? Did you try to benchmark it yourself using your browser (e.g., Chrome DevTools etc)?
When using Pingdom/Gtmetrix (with the last one you have to create a free account) please make sure to choose the closest server to you and then proceed with the test.
