search

Really-Simple-Plugins / really-simple-ssl

Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.
https://really-simple-ssl.com
Other
143 stars 43 forks source link

[Bug] SSL Redirect Leading to "Too Many Redirects" Error #609

Open jonas-hoebenreich opened 3 months ago

jonas-hoebenreich commented 3 months ago

I encountered a "Too Many Redirects" error while adding a new domain to my WordPress multisite network. After extensive debugging, I identified that the wp_redirect_to_ssl() function in the Really Simple SSL plugin was causing the issue. It seems like the is_ssl() functionwas returning false although SSL was actually already set up.

Steps to Reproduce:

  1. Activate the Really Simple SSL plugin.
  2. Add a new domain to a WordPress multisite network.
  3. Attempt to access the new domain.

Expected Behavior:

The new domain should be accessible without redirect errors.

Actual Behavior:

The new domain results in a "Too Many Redirects" error.

Workaround:

  1. Deactivate the Really Simple SSL plugin.
  2. Access the page (which works fine without the plugin).
  3. Reactivate the Really Simple SSL plugin.
  4. The page then works without any issues.

Suggested Improvement:

To facilitate easier debugging for others who might encounter this issue, I suggest adding an $x_redirect_by header attribute to the wp_redirect_to_ssl() function. This addition would provide clearer insight into the source of the redirects.

rlankhorst commented 3 months ago

Hi @jonas-hoebenreich,

Thanks for reporting your issue. The fact that the is_ssl() function returns false, means that the detection occurrence if this didn't result in the corresponding fix. Normally, when is_ssl() returns false, Really Simple SSL will detect this, and add the following line to your wp-config.php:

$_SERVER['HTTPS'] = 'on';

You will see that if you do this, is_ssl() will return true, and all redirect issues are fixed.

So the fix in this case should be to investigate why the plugin didn't add this in the first place. The first thing that comes to mind is maybe you had the wp-config.php set to not writable? The plugin should show a notice about it, but on multisite this might be less visible.

jonas-hoebenreich commented 3 months ago

Thanks for your reply. I just checked the permissions and wp-config.php is writable. Since the plugin is causing an infinite redirect loop there is obviously no way to see any notices. For me the main issue was that I did not know what was causing the issue - adding a simple redirect source would have saved quite some debugging time.

rlankhorst commented 3 months ago

Adding the source sounds like a good idea. The notice should appear before SSL is activated within the plugin, so should be visible. I'll run some tests with this: the purpose of the plugin is to make such debugging unnecessary!