With CloudFront, wp-login.php gets redirected to wp-admin with reauth

mikeh 2019-12-01 06:48:25 UTC #1

Keywords: WordPress - AWS - Technical issue - Domain Name (DNS)
bnsupport ID: 0109749a-ef46-ae6f-f9e1-04cff46fd8b2
Description:
I launched the WordPress AMI by Bitnami via the AWS Marketplace. I got everything working correctly using the IP address as the 'A' record set in the Route 53 hosted zone.

I created a new CloudFront distribution with the EC2 Public DNS ( ‘ec2-35-162-xx-xxx.us-west-2.compute.amazonaws.com’) as the origin and entered my domain names ’mydomain.com’ and "www.mydomain.com" as Alternate Domain Names (CNAMEs).

In CloudFront behaviors:
Viewer Protocol Policy: Redirect HTTP to HTTPS
Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
Cache Based on Selected Request Headers: Whitelist
Whitelist Headers: Host
Forward Cookies: Whitelist
wordpress_logged_in_*
wordpress_test_cookie
wp-settings-*
Query String Forwarding and Caching: Forward all, cache based on all

I changed the Route 53 ‘A’ record set and and 'AAAA' record set to the CloudFront URL as the alias target (abcdefxxxxxx.cloudfront.net).

Everything seems to be working except when I try to log in, after I enter the user name and password and click "Log in" it redirects me to:
/wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2Fwp-admin%2F&reauth=1

with the password field empty.

If I fill in the password and click "Log in" again, it just redirects to the same URL again.

tried clearing browser cache/history etc.
tried removing session_token content from wp_usermeta using phpmyadmin
tried invalidating the CloudFront distribution

There seems to be nothing related to the problem in /opt/bitnami/apache2/logs/error_log

There is some info in the access log,

/opt/bitnami/apache2/logs/access_log:
70.132.31.147 - - [30/Nov/2019:23:47:29 +0000] "GET /wp-login.php HTTP/1.1" 200 2894
70.132.31.141 - - [30/Nov/2019:23:47:34 +0000] "POST /wp-login.php HTTP/1.1" 302 -
35.167.191.165 - - [30/Nov/2019:23:47:34 +0000] "GET /wp-admin/ HTTP/1.1" 302 -
35.162.63.255 - - [30/Nov/2019:23:47:34 +0000] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2Fwp-admin%2F&reauth=1 HTTP/1.1" 200 2900

(Note that the final IP is not the IP of the Bitnami WordPress EC2 instance, although the first two numbers are the same.)

wp-config.php, with ## substituted for sensitive information:

<?php

/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'bitnami_wordpress' );

/** MySQL database username */
define( 'DB_USER', 'bn_wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', '##' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost:3306' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '##');
define('SECURE_AUTH_KEY', '##');
define('LOGGED_IN_KEY', '##');
define('NONCE_KEY', '##');
define('AUTH_SALT', '##');
define('SECURE_AUTH_SALT', '##');
define('LOGGED_IN_SALT', '##');
define('NONCE_SALT', '##');

/**#@-*/

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';

/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

define('FS_METHOD', 'direct');

/**
* The WP_SITEURL and WP_HOME options are configured to access from any hostname or IP address.
* If you want to access only from an specific domain, you can modify them. For example:
* define('WP_HOME','http://example.com');
* define('WP_SITEURL','http://example.com');
*
*/

if ( defined( 'WP_CLI' ) ) {
$SERVER['HTTPHOST'] = 'localhost';
}

define('WP_SITEURL', 'https://www.mydomain.com');
define('WP_HOME', 'https://www.mydomain.com');

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( FILE ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

define('WP_TEMP_DIR', '/opt/bitnami/apps/wordpress/tmp');

// Disable pingback.ping xmlrpc method to prevent Wordpress from participating in DDoS attacks
// More info at: https://docs.bitnami.com/general/apps/wordpress/troubleshooting/xmlrpc-and-pingback/

if ( !defined( 'WP_CLI' ) ) {
// remove x-pingback HTTP header
add_filter('wp_headers', function($headers) {
unset($headers['X-Pingback']);
return $headers;
});
// disable pingbacks
add_filter( 'xmlrpc_methods', function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
});
add_filter( 'auto_update_translation', '_returnfalse' );
}

miguelaeh 2019-12-02 11:19:37 UTC #2

Hi @mikeh,
We see that you already open an issue for the same purpose here https://community.bitnami.com/t/too-many-redirects-trying-to-set-up-aws-elb-with-bitnami-multisite/72016.

Can you confirm it is the same issue, so we can talk in only one thread?

mikeh 2019-12-02 21:48:12 UTC #3

@miguelaeh

different!
* EC2 instance (ID i-064a16881136cf0b7 instead of i-0202f23107a3fc51e),
* WordPress AMI (single instead of multisite),
* network architecture (on this one, the CloudFront origin is EC2, not ELB)
* problem. In https://community.bitnami.com/t/too-many-redirects-trying-to-set-up-aws-elb-with-bitnami-multisite/72016, I was getting a "too many redirects" error. Here, I am getting redirected to wp-admin, but not "too many redirects". On the other one, the site itself was unusable. Here, the site is working, but I'm unable to log in.

Thanks for your assistance!

miguelaeh 2019-12-03 09:37:54 UTC #4

Hi @mikeh,
Thanks for the clarification, can you please elaborate the following step?

I changed the Route 53 ‘A’ record set and and 'AAAA' record set to the CloudFront URL as the alias target (abcdefxxxxxx.cloudfront.net).

I don't understand why you did that, the AAAA registries are for IPv6 addresses, why do you need to change it?.

mikeh 2019-12-03 18:04:47 UTC #5

I changed it because I thought all traffic should go through CloudFront.

I just now tried eliminating the AAAA record completely and invalidating the distribution. The problem persists exactly as before. Did you have a theory why pointing the AAAA record to CloudFront would cause a problem?

mikeh 2019-12-04 04:34:51 UTC #6

I changed "Forward Cookies" to "All" in CloudFront, and the problem went away.

miguelaeh 2019-12-04 10:40:00 UTC #7

Hi @mikeh,
I am glad you solve it. Don't hesitate to ask again if you have any issue.

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!