Last active
December 19, 2016 14:52
-
-
Save lordspace/db99e4982839f16e9637de4af7ba099b to your computer and use it in GitHub Desktop.
These are instructions related to this article (How to Properly Set up an SSL Certificate for a News Site Based on WordPress) http://orbisius.com/wordpress/properly-set-ssl-certificate-news-site-based-wordpress/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How To Setup Let's Encrypt SSL certificate for a news Site and Fix Mixed Content Error | |
| /////////////////////////////////// | |
| // put this in wp-config.php | |
| // orbisius.com | |
| // GPL | |
| ob_start( 'orbisius_custom_link_corrector_global' ); | |
| /** | |
| * This is used here to correct all links that are not ssl | |
| * the known ones are converted to https. | |
| * The unknon ones are sent thorugh a redirect script | |
| */ | |
| function orbisius_custom_link_corrector_global( $buff ) { | |
| // JFIF => JPEG | |
| // Skip modification if servicing binary files via php | |
| // Most of the Word files do contain some compression just like the zip files. | |
| if ( preg_match( '#PK|PDF|GIF|PNG|JFIF#si', substr( $buff, 0, 120 ) ) ) { | |
| return $buff; | |
| } | |
| if ( function_exists( 'is_ssl' ) && is_ssl() ) { | |
| $buff = trim( $buff ); | |
| // There's a broken image on blogspot | |
| // I tried to fix it but this breaks the top slider | |
| // blogspot.com/-tSf506il_hI/WCC-OrSOMNI/AAA... | |
| /*$buff = preg_replace( | |
| '#<img.*?-tSf506il_hI/WCC-OrSOMNI/[\w/\s\.]*\s*</div>\s*</div>\s*</div>#si', | |
| '<img border="0" height="320" src="https://4.bp.blogspot.com/-tSf506il_hI/WCC-OrSOMNI/AAAAAAAAark/ZtCogy6lYJIhODIa-naBZgPzwW7Ubng2wCLcB/s1600/stern-report.jpg" /></div></li>', | |
| $buff | |
| ); | |
| // ="https://3.bp.blogspot.com/-S-7BTob6PWA/WBXjwF58zHI/AAAAA | |
| $buff = preg_replace( | |
| '#<img.*?-S-7BTob6PWA/WBXjwF58zHI/AAAAA[\w/\s\.]*\s*</div>\s*</div>\s*</div>#si', | |
| '<img border="0" height="320" src="https://3.bp.blogspot.com/-S-7BTob6PWA/WBXjwF58zHI/AAAAAAAARQs/kUAbKdLaLVselpWKpveJtoUm7uy0mjfNgCLcB/s1600/5021131286_f35c898b78_b.jpg" /></div></li>', | |
| $buff | |
| );*/ | |
| // Correct http links to ssl ones | |
| $buff = preg_replace( | |
| '#http://([\w\-\.]*)(icopyright.net|feedburner|blogscanada|facebook|desmogblog|google.com|feedblitz.com|blogspot|twitter.com|stumble\-?upon.com|digg.com)#si', | |
| 'https://${1}${2}', | |
| $buff | |
| ); | |
| // Convert all links that are non-ssl to a redirect link so browsers do not | |
| // complain about mixed secure and non-secure content. | |
| $buff = preg_replace( '#([\'\"])(http://[a-z\d\-\.\:]+)#si', '${1}https://example.com/z-redir.php?r=${2}', $buff ); | |
| //$buff .= '<!-- orbisius_custom_link_corrector_global -->'; | |
| } | |
| return $buff; | |
| } | |
| /////////////////////////////////// | |
| server { | |
| listen 80; | |
| server_name awesome-client.com www.awesome-client.com; | |
| location / { | |
| return 301 https://$host$request_uri; | |
| } | |
| } | |
| server { | |
| server_name awesome-client.com www.awesome-client.com; | |
| root /var/www/vhosts/clients/awesome-client.com/htdocs; | |
| index index.php index.html index.htm; | |
| error_log /var/www/vhosts/clients/awesome-client.com/log/error.log; | |
| location ^~ /.well-known { | |
| allow all; | |
| } | |
| listen 443 ssl http2; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl on; | |
| ssl_certificate /etc/letsencrypt/live/awesome-client.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/awesome-client.com/privkey.pem; | |
| # .... | |
| } | |
| # /user/local/bin/renew_ssl.sh | |
| letsencrypt renew --verbose >> /var/log/renew_ssl.log &2>> /var/log/renew_ssl.log | |
| nginx -s reload | |
| chmod 0755 /user/local/bin/le_renew_ssl.sh | |
| crontab -e | |
| # Will run at 12:30am on the first day of the month. | |
| 30 * * 1 * /user/local/bin/le_renew_ssl.sh | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // This is used to rewrite the non-ssl links | |
| // name: z-redir.php | |
| // so the mixed content error is avoided. | |
| // (c) http://orbisius.com | |
| // | |
| // Example | |
| // http://localhost/projects/redirect/?r=http://shamelessmag.com/images/made/images/blog/_resized/WeeklyRoundUp_Main_820_446_90.jpg | |
| // @see http://david.elbe.me/code/php/2014/09/17/cache-images-with-php.html | |
| $r = empty( $_REQUEST['r'] ) ? '' : $_REQUEST['r']; | |
| $r = strip_tags( $r ); | |
| $r = trim( $r ); | |
| // It seems the browser uses the current connection to load external images. | |
| // So from SSL -> proxy images -> produces mixed content error | |
| if ( preg_match( '#\.(jpe?g|png|gif)#si', $r, $matches ) | |
| && preg_match( '#https?://#si', $r, $matches ) | |
| && ! preg_match( '#example.com#si', $r, $matches ) | |
| ) { | |
| // Let's cache only the web path because the host can change and the schema | |
| $domain = parse_url( $r, PHP_URL_HOST ); // /images/made/images/blog/_resized/WeeklyRoundUp_Main_820_446_90.jpg | |
| $cache_str = parse_url( $r, PHP_URL_PATH ); // /images/made/images/blog/_resized/WeeklyRoundUp_Main_820_446_90.jpg | |
| $cache_suff = sha1( $cache_str ); | |
| // Let's make the dir deep | |
| $web_path_local_cache = dirname( $_SERVER['PHP_SELF'] ) . '/wp-content/zzz_remote_assets_cache/' . substr( $cache_suff, 0, 1 ) . '/' . substr( $cache_suff, 1, 1 ) . '/' . substr( $cache_suff, 2, 1 ) . '/' . $domain . '_' . $cache_suff . '_' . basename( $r ); | |
| $local_cached_image_file = __DIR__ . $web_path_local_cache; | |
| $protocol = ( stripos( $_SERVER['SERVER_PROTOCOL'], 'https' ) === true ) || isset($_SERVER["HTTPS"]) ? 'https://' : 'http://'; | |
| $full_cache_url = $protocol . $_SERVER['HTTP_HOST'] . $web_path_local_cache; | |
| if ( ! is_file( $local_cached_image_file ) | |
| || ( time() - filemtime( $local_cached_image_file ) > 30 * 24 * 3600 ) ) { // file doesn't exist or is older than 30 days | |
| // Let's not verify ssl stuff. | |
| $ctx_options = array( | |
| "ssl" => array( | |
| "allow_self_signed" => true, | |
| "verify_peer" => false, | |
| "verify_peer_name" => false, | |
| ), | |
| ); | |
| $use_include_path = false; | |
| $data = file_get_contents( $r, $use_include_path, stream_context_create( $ctx_options) ); | |
| if ( strlen( $data ) < 512 || preg_match( '#\berror\b#si', $data ) ) { | |
| usleep( 500000 ); // 0.5 sec // 2000000 is 2 sec | |
| $data = file_get_contents( $r, $use_include_path, stream_context_create( $ctx_options) ); | |
| } | |
| // All is good let's store the image | |
| if ( ! empty( $data ) && preg_match( '#PK|PDF|GIF|PNG|JFIF#si', substr( $data, 0, 120 ) ) ) { | |
| if ( ! is_dir( dirname( $local_cached_image_file ) ) ) { | |
| mkdir( dirname( $local_cached_image_file ), 755, 1 ); | |
| } | |
| $st = file_put_contents( $local_cached_image_file, $data, LOCK_EX ); | |
| if ( $st ) { | |
| $r = $full_cache_url; | |
| } | |
| } | |
| } else { | |
| $r = $full_cache_url; | |
| } | |
| } | |
| if ( ! empty( $r ) ) { | |
| header ("HTTP/1.1 302 Found"); | |
| header( "Location: $r" ); | |
| } else { | |
| header('HTTP/1.0 404 Not Found', true, 404); | |
| echo "Can't redirect."; | |
| } | |
| exit; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment