WordPress with SSL Termination

by Dave Blakey on Tips and Tricks • September 27, 2018

Supporting SSL termination with WordPress can require some modifications. This guide will help you to quickly get set up, allowing you to have Snapt Aria offload your SSL requests, and use plain text to your webservers.

Background

Communication over HTTPS is the defacto means of accessing web services as it provides a secure channel over which information including sensitive and private data between a client and server can be shared.

HTTP sends information in plaintext which makes it vulnerable to traffic interception and unauthorized discovery of private data. Think of logging into your webmail service or banking site and having that information retrievable by a third party who might be anywhere along the communication network between your computer and the server providing the web service. That could include your ISP, hopefully not, or other parties who might have compromised communication systems through which your internet traffic flows.

To keep communication secure, in an end-to-end manner, between the client and server, it is necessary to encrypt the information transferred so that it can be transmitted over public internet links while remaining private to the communicating parties. This is where the HTTPS protocol comes in.

The HTTPS protocol uses cryptography (mathematical proofs) to encrypt and decrypt data communicated between a client and a server. While the connection between the client and server is being initiated, typically called the handshake phase, the server shares some information including its public key, which the client verifies with a certificate authority. The client then creates a session key which it encrypts with the previously obtained server public key and sends to the server. This means only the server with the associated private key can decrypt this session key after which it confirms the establishment of a secure channel with the client. Actual user data communication is then encrypted and decrypted using this secret session key, which is private to the communicating parties. This is a basic explanation of the SSL communication process which can include a lot more stages and operations depending on the SSL features enabled on both client and server. It is possible for the communicating parties to rotate the session key in use for instance.

The operations involved in SSL termination, especially the initial handshake process and when operating at scale, could be computationally expensive, and thus reduces the capacity of your backend servers as far as the number of clients they can serve simultaneously. Terminating and offloading SSL at the proxy instead can help free up resources on your backend server(s) which can be put, instead, towards actually providing your web services to end-users. More users can be served by your backend infrastructure without allocating more resources. 

Communication between the proxy and backend servers can then be over HTTP if the proxy and servers reside within a local trusted network. It is also possible to have the proxy re-encrypt SSL traffic on the way to the backend server(s) in the case that SSL offloading is not desirable.

Download free trial

Using a load balancer to offload SSL

SSL termination is CPU-intensive work and strongly discouraged. Offloading the CPU load from your backend servers to your load balancer allows your backend servers to serve more connections. 

Some companies disable the SSL termination on their backend servers for the sole purpose of removing the CPU load to be able to serve more connections. This, in fact, poses a huge risk to the server. We recommend offloading the SSL termination to a load balancer or application delivery controller (ADC).

Most ADCs, such as Snapt Aria and Snapt Nova, have SSL offloading built-in. This allows you to securely terminate the SSL on the ADC, and have the ADC talk to your web servers over plain HTTP. Snapt’s ADCs are optimized for the highest possible performance on the given hardware they are installed on.

Why you need to modify Wordpress when terminating SSL

Let's assume you terminate the SSL (https) connection at a load balancer or web proxy in front of your webservers. You then have clients connecting to your site on https://blog.snapt.net (for example), but the webserver sees http://blog.snapt.net.

You need to tell your webserver that actually this is a secure connection, but you are terminating it. Otherwise, it might think it is not, and redirect the user to https://blog.snapt.net - getting in a loop!

Why you need to modify WordPress when terminating SSL

To tell webservers and websites about this, load balancers (including Aria) will use an X-Forwarded-Proto header.

You can tell WordPress to read this by editing your wp-config.php script, and adding the following code above the line that says "/* That's all, stop editing! Happy blogging. */".

if($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
   $_SERVER['HTTPS'] = 'on';
   $_SERVER['SERVER_PORT'] = 443;
}

That will tell your WordPress site to assume it is an HTTPS connection if the X-Forwarded-For header is set to "https".

Snapt Aria users: ensure you are adding that header in the Balancer or Accelerator!

Snapt Aria Software load balancer

In addition to offloading the SSL termination to the ADC, you can also preserve public IP addresses, as it is possible to use just one public IP for multiple websites and route traffic to the corresponding backend server if needed. The Snapt Aria ADC also includes a host of additional features such as Web Application Firewalling (WAF), PageSpeed optimization, and caching. These features allow you to serve even more users with the same server footprint.

Remember, Snapt Aria has Layer 7 software load balancing, web acceleration, WAF, and global DNS load balancer. Blazing fast throughputs, high SSL TPS, Aria load balancer runs on any cloud, VM, or bare metal.

Both Snapt Aria and Snapt Nova software ADCs support SSL termination, and include integration with Let’s Encrypt for automatic generation and renewal of SSL certificates. Get up to 3X faster SSL performance and an A+ rating with Snapt’s SSL offloading.

Try It Free