#StackBounty: #apache-2.2 #amazon-web-services #amazon-elb Amazon Application ELB doesn't work only on one specific WordPress / Apa…

Bounty: 150

Preface:

I’m 99% confident this is an Apache/PHP configuration thats doing some sort of rewrite/forwarding causing my problem.

Please note these similar issues. I’ve tried the suggestions listed but still can’t get it to work:

https://snippets.webaware.com.au/snippets/wordpress-is_ssl-doesnt-work-behind-some-load-balancers/

https://stackoverflow.com/questions/30702490/how-to-fix-wordpress-https-issues-when-behind-an-amazon-load-balancer

https://stackoverflow.com/questions/45981358/wordpress-website-behind-aws-application-load-balancer

I’ve tried the .htaccess and wp-config.php updates mentioned in these posts and I still can’t get it to respond when trying to access through the load balancer.

Problem:

Our site has many different services behind Amazon’s ELB but for some reason this simple Apache site project has turned into a major headache since I can’t resolve this one site through ELB.

When browsing to the public domain name (that routes to ELB) over HTTPS the browser just times out! (Chrome throws a ERR_CONNECTION_TIMED_OUT). Browsing to local site (bypassing ELB) works fine.

Background:

  • ELB: Application load balancer. It listens on 443 and terminates TLS certificate. Working great for many hosts, just not this wordpress site.

  • WordPress Host: Apache container running wordpress (official Docker image wordpress:4.9.8-php7.1-apache). Listens on port 8008 HTTP only, no TLS configuration set on the container/Apache since the load balancer handles TLS.

  • DNS: Both public and private DNS servers are setup for CNAME records for the ELB endpoint.

I just created a brand new site (it’s a wordpress site) using the official WordPress docker image wordpress:4.9.8-php7.1-apache – Basically it’s just an apache server. I can load the site without issue using the IP/port of the host.

The site itself works fine! I can browse to it using clear HTTP using its internal IP and port.

So I then added it to my ELB setup just like all our other sites (I’ve done this a million times before).

Config/Steps Tried:

  • Cert is already installed for the ELB listener as this is just oen of many sites on this listener.
  • Security group for the host allows inbound for the appropriate listening port from my entire VPC.
  • Security group for the ELB listener is 0.0.0.0/0 for 443, and again works fine for the other sites.
  • Listener rule configured to filter by hostname and route to the appropriate target group. Screenshot below.
  • Target group shows the endpoint is “healthy”
  • When browsing to the internal IP/port the site loads fine.
  • I have many other services running on this host that are routed to it through the same ELB, so the subnet config is ok.
  • I checked the apache logs, and it doesn’t look like any packets are being sent to Apache (nothing shows in the logs) when attempting to connect via ELB.
  • DNS routes to the CNAME of the ELB. This works fine for all our other services.

Since I’m very comfortable with ELB and I am very confident my cert is installed ok and my listener host filtering/target group config is healthy and looking good, where else should I check? Is there any logging of ELB so I can trace what’s going on? Is there maybe something in Apache that I can check?

Here’s how the target looks in the ELB target groups. If I browse to this ip/port it works fine.:
Target

Standard host name filtering, nothing special:
Host name filtering

Here is what developer tools shows when attempting to browse the https page. Apache is forcing a 301 redirect.
enter image description here

Because Apache is forcing the 301, that makes me think it’s assuming the page is not https. I’ve already tried setting rules such as the following:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';

However, no success still. This appears to be the same behavior both if I have wordpress options siteurl set to the external https hostname or the internal ip:port over http.

Here is curl -I output. I’ve replaced my real host domain with example.com:*

C02SL234G8WN:Documents user$ curl -I marketing-wp.example.com 
HTTP/1.1 200 OK 
Date: Tue, 21 Aug 2018 20:59:16 GMT 
Content-Type: text/html; charset=UTF-8 
Connection: keep-alive 
Server: Apache/2.4.25 (Debian) 
X-Powered-By: PHP/7.1.20 
Link: <https://marketing-wp.example.com/wp-json/>; rel="https://api.w.org/" 

EDIT:

I managed to get this working by updating the is_ssl() function in wp-includes/load.php to force return true. The page now loads! However the wp-admin page isn’t working still. Still hacking away at it


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.