WordPress, Apache, ELB, SSL

The magic steps to get fully ELB terminated SSL WordPress site on Apache

Posted by Tejus Parikh on August 21, 2015

One of my favorite features in ELB is using it to terminate SSL. It saves me from having to manage the certificates in Chef for multiple different webservers. Getting WordPress fully over to SSL with ELB termination turned out to be a little more complicated than I thought. These are the steps that I followed to get WideAngle.com served up over HTTPS.

For this guide, I'm assuming that you already have a basic WordPress setup via normal HTTP within the Apache webserver. If you're using a different server, most of the process stays the same but the Apache specific steps will not apply.

1. Get an SSL certificate

With the number of low cost providers of SSL certificates, getting a real cert is cost-effective. We purchased ours from Namecheap, where you can get a signed cert for less than $10.00/yr.

2. Create the ELB Listeners

You'll still need two listeners, one each for ports 80 and 443. When adding the listener for port 443, make sure you specify that the instance protocol is HTTP and not HTTPS. Otherwise, you'll also have to manage a certificate within Apache.

ELB's listener configuration

ELB listener configuration

3. Upload the cert into AWS

I'm assuming that you're already hosted in Amazon. If not, this post is likely worthless to you.

ELB's add certificate screen

ELB's add certificate screen

Exactly what values you will need and where they can be found will vary depending on which provider you used. Also worth noting: that while the certificate chain may say optional you will want it set if you don't want to run the risk of your visitors getting SSL errors.

4. Update Apache to Respond on 443

This is where it starts getting a little complicated. If you do not execute these steps in the correct order you will end up with an unresponsive site due to an infinite number of redirects between HTTP and HTTPS. The next step is to add a virtual host on 443 and reload apache. I've included a sample configuration, with the one critical line to make it all work.

<VirtualHost *:443>
  ServerName <YOUR SERVER NAME>
  ServerAlias <YOUR SERVER ALIAS>
  DocumentRoot /var/www/wordpress

  # This line is super important and will ensure that wordpress renders https links
  SetEnvIfNoCase X-FORWARDED-PROTO "^https$" HTTPS

  <Directory /var/www/wordpress>
    Options FollowSymLinks
    AllowOverride FileInfo Options
    Require all granted
  </Directory>

  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>

  LogLevel info
  ErrorLog /var/log/apache2/wordpress-error.log
  CustomLog /var/log/apache2/wordpress-access.log combined

  RewriteEngine On
</VirtualHost>

The following line is super important:

SetEnvIfNoCase X-FORWARDED-PROTO "^https$" HTTPS

The ELB is not talking HTTP, not HTTPS, to Apache. If WordPress believes it is talking HTTP, it will generate HTTP links regardless of what the WordPress Address and Site Address URL are. Which brings us to...

5. Update the WordPress address and Site Address

At this stage, you need to go into WordPress and change the URLS to the HTTPS version.

Update the URLS within WordPress

Update the URLS within WordPress

6. Redirect HTTP to HTTPS

Now you have a site that responds to both HTTP and HTTPS. Now you need to change the configuration for port 80 to redirect to HTTPS. Of course, you'll need to remember to reload your Apache config.

<VirtualHost *:80>
   ServerName <YOUR SERVER NAME>
   Redirect permanent / https://<YOUR SERVER NAME>/
</VirtualHost>

7. Test configuration

Finally, you want to make sure that the SSL setup is working. We used the SSL Analyzer from Comodo

8. Update your webmaster tools, sitemaps, etc

Okay, really finally, make sure all the tools you are using for SEO know that your site is now SSL.

Original image is CC-licensed [original source]

Related Posts:

Tejus Parikh

Tejus is an software developer, now working at large companies. Find out when I write new posts on twitter, via RSS or subscribe to the newsletter: