Multisite and Secure (SSL) Central logins

  • sjcundy

    (@sjcundy)


    15 years, 10 months ago

    We are rolling out WP3 with Multisite support in a few places. Our preference is to use sub-domains rather than path names. For authentication we are currently use wp-dirauth (sp?) to authenticate against an existing ldap tree. Our preference would be to have all sites run under SSL but since you can’t use serveralias or wildcards for apache ssl vhosts we have stuck with http. I have apache configured to accept all port 80 requests (serveralias *.blogs.me.com) but only accepting ssl (port 443) requests on “blogs.me.com”.

    What I need to know is

    1) How can we force secure SSL logins on all sites (sub-domains) without having to generate a new apache vhost file for every sub-domain that is created? Can we redirect all logins to the secure “main” login site rather than insecure subdomain.
    Mainsite: blogs.me.com (supports http and https)
    Subdomain: sports.blogs.me.com (only supports http)
    Login Page for sports actually brings up https://blogs.me.com/wp-login.php rather than http://sports.blogs.me.com/wp-login.php

    How are other people dealing with SSL and sub-domains in apache (cron jobs, plugins, ??)? If there is a way to generate the apache vhost file and reload apache every time a new site is created. Would love some practical advice.

Viewing 1 replies (of 1 total)
  • davidem

    (@davidem)

    15 years, 10 months ago

    Hi sjcundy,

    A simple “define(‘FORCE_SSL_ADMIN’, true);” in your wp-config.php could also do the trick, but in my case it caused certificate errors, so I use apache’s mod_rewrite to get it done. More info can be found here: Admin over SSL

    For multisite, you can use the %{SERVER_NAME} variable, so the subdomains in the url stay the same.

    Only prereq is that mod_rewrite is active in apache.
    Here’s my setup:

    # https://domain.com
<VirtualHost <IP-Address>:443>
        # I'll skip the standard stuff for SSL.
        <IfModule mod_rewrite.c>
                # If no https is needed, revert back to http.
                # I specifically added includes and content, because I ran into some issues with plugins.
                RewriteEngine On
                RewriteRule !^/wp-(admin|login|signup|includes|content)(.*) - [C]
                RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [QSA,L]
        </IfModule>
</VirtualHost>

# http://domain.com
<VirtualHost <IP-address>:80>
        # I'll skip the standard stuff again. Add the following rewrite lines to your Directory
        <Directory>
                <IfModule mod_rewrite.c>
                        RewriteEngine On
                        RewriteBase /
                        # If the url leads to wp-admin/login or signup, switch to https
                        RewriteCond %{REQUEST_FILENAME} -f [OR]
                        RewriteCond %{REQUEST_FILENAME} -d
                        RewriteRule ^wp-(admin|login|signup)(.*) https://%{SERVER_NAME}/wp-$1$2 [C]
                        RewriteRule ^.*$ - [S=40]
			# WP rules from .htaccess file, I like to keep them in one file.
			RewriteRule ^index\.php$ - [L]
			# uploaded files
			RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
			RewriteCond %{REQUEST_FILENAME} -f [OR]
			RewriteCond %{REQUEST_FILENAME} -d
			RewriteRule ^ - [L]
			RewriteRule . index.php [L]
                </IfModule>
        </Directory>
</VirtualHost>

    ps. I adjusted the above today for multisite, as I migrated myself only this week. Some brief tests showed that it works for all my subdomains. For example: I go to http://blog1.domain.com/wp-login, and it redirects me to https://blog1.domain.com/wp-login.

    Is this what you were looking for?

Viewing 1 replies (of 1 total)

The topic ‘Multisite and Secure (SSL) Central logins’ is closed to new replies.