WordPress vs Reverse Proxy

The new website runs WordPress on a LAMP VM on my DMZ network and is exposed using the reverse proxy functions in my Sophos UTM firewall. Being behind the proxy required some changes.

I added the following lines to my wp-config.php script. Seems pretty clear what they’re doing, right?

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 
    $_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_X_FORWARDED_FOR"];
}
define('WP_HOME', 'http://paul.dugas.cc');
define('WP_SITEURL', 'http://paul.dugas.cc');

Also had to tweak the Basic Protection firewall profile on the UTM to disable the a number of the threat filters including:

  • Generic attacks
  • SQL Injection attacks
  • XSS attacks
  • Outbound

Not sure why they’re getting in the way and I’m finding more as I work with the new site.