HTTP:X-Forwarded-Proto

As there are many types of hosting setups, all requiring different .htaccess redirects, the plugin tries to detect the redirect that is required for your setup by loading the following page:

https://yourdomain.com/wp-content/plugins/really-simple-ssl/ssl-test-page.php

If you load that page for your domain, you will probably see #LOADBALANCER

This means the $_SERVER[‘HTTP_X_FORWARDED_PROTO’] is set, and contains ‘https’. Based on the experience in the past 7 years, this normally means that the .htaccess redirect that goes with this server variable is

RewriteCond %{HTTP:X-Forwarded-Proto} !https

As also explained here https://really-simple-ssl.com/manually-insert-htaccess-redirect-http-to-https/

The redirect you are using is configured by Really Simple SSL if $_SERVER[‘HTTPS’] = ‘on’, and is actually the default in Really Simple SSL, as it is used by most hosters. Apparently this server variable is not available on your site, but the .htaccess does work with this redirect type. Which seems odd.

As your site has a non-standard configuration , you can simply set the redirect type to ‘php redirect’, and add your own .htaccess redirect.

If you can share your hosting environment, we can test with that specific environment, and see if we can detect this configuration out of the box.

If we know your hosting company we can contact them and check what they do that’s different from most other sites.

• This reply was modified 1 year, 10 months ago by Rogier Lankhorst.

@rogierlankhorst

I did the test you said and it returns this information:

#SSL TEST PAGE#

This page is used purely to test for SSL availability.#SERVER-HTTPS-ON# (on)
#SERVERPORT443#
#LOADBALANCER#

#SUCCESSFULLY DETECTED SSL#

AND

Based on this explanation:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

I need to use a load balancer to use this header (X-Forwarded-Proto)! But your plugin automatically uses this header without considering this issue and causes this problem.

• This reply was modified 1 year, 10 months ago by masouddarvishi1992.

@masouddarvishi1992 your input as a contributor of the free open source plugin is very much appreciated.

The reason the X-Forwarded proto takes precedence over the https=on variant is that on most systems where the x-forwarded-proto is used, the https=on isn’t there, and causes a failure when used. This priority structure has been in place for years, and has rarely caused issues among our 5.5 million websites.

There is a built in check which checks if the selected .htaccess rule works. The plugin does this by loading a test page with a redirect to https. The url of this page is (with http):
https://yourdomain.com/wp-content/plugins/really-simple-ssl/testssl/loadbalancer/ssl-test-page.html

If this page returns successfully, the plugin assumes the redirect works as expected.

I’m curious if this page loads successfully on your end. The fact that the plugin writes the rule suggests it can load this page without issues, and the redirect works at that point.

As the plugin is used by so many websites we can’t just make changes for one specific configuration, we have to make changes very carefully.

@rogierlankhorst I did your test and everything seems fine.

wp-content/plugins/really-simple-ssl/testssl/loadbalancer/ssl-test-page.html

Result:

This page is for testing SSL functionality. #SSL TEST PAGE#

Ok, so the htaccess redirect seems to work on that page, which explains why the redirect is added.

What is strange, is why it works here, but not on the front-end.

@rogierlankhorst

I disabled the plugin and re-enabled it. But this time, it didn’t add the X-Forwarded-Proto header!

Before this topic, your plugin did not add this header, but by activating the option to remove unused css of wp rocket plugin, this header was automatically added.

Of course, i not sure about this. But there may be an conflict.

• This reply was modified 1 year, 10 months ago by masouddarvishi1992.
• This reply was modified 1 year, 10 months ago by masouddarvishi1992.

Ok, thanks for your detailed report. We will test specifically with WP Rocket to see if we can reproduce this.

@masouddarvishi1992 at this point we can’t consistently reproduce an issue with WP Rocket. We know that there are several hosting configurations which can be different from hosting company to hosting company. It is difficult to make any changes in these rules, as it might affect millions of websites, and we cannot reliably test this: there can always be a hosting company that is configured different than the range of configurations that we test.

For now, I have implemented a more highlighted warning about the .htaccess setting. It is always advisable to have FTP access at hand in case the site reacts in an unexpected way.

If hosting companies are willing to cooperate, we an insert dedicated rules for recognised hosting environments. That would be the most foolproof method I think, but requires the cooperation of hosting companies.

As there is no immediate fix possible, I’ll close this thread for now.