SSL support ?

Dec 14, 2011 at 9:33 AM

Hey Ben,

 

I was thinking to purchase an SSL certificate and securing the login page of WordPress on Azure.  Is there any guideline you would recommend to use during the scaffolding process or is this feature unsupported?

 

Many Thanks,

Houman

Editor
Dec 14, 2011 at 5:41 PM

Houman,

SSL is certainly supported in Windows Azure. Start with this MSDN article on getting it setup
http://msdn.microsoft.com/en-us/library/windowsazure/ff795779.aspx

Then on the WordPress side of things there are two simple wp-config values you can set
http://codex.wordpress.org/Administration_Over_SSL

You may also be interested in the general WordPress security article
http://codex.wordpress.org/Hardening_WordPress

Hope that helps,
Ben

Dec 14, 2011 at 9:44 PM

Fantastic.

 

Thanks Ben, I will look into it.

Dec 21, 2011 at 7:27 AM

Ben,

I was looking into the SSL features. While its straight forward to upload the SSL certificate and assign a binding to the SSL certificate and https port 443, if I was going to bind the entire endpoint of the site to SSL, then the entire WordPress will be protected. 

<Site name="WebRole" physicalDirectory="./WebRole">
        <Bindings>    
          <Binding name="Endpoint1" endpointName="HttpsIn" />
        </Bindings>
 </Site>
<Endpoints>
       <InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="MySSLCert" />
</Endpoints>

In WordPress you can usually say I want only Admin and Login areas to be protected by SSL rest should be unprotected for performance reasons.

define('FORCE_SSL_ADMIN', true);
How can I achieve a similar thing? 
Many Thanks,
Houman
Editor
Dec 21, 2011 at 5:37 PM

Houman,

If you add endpoints for https on 443 and http on 80 IIS will take care of encrypted vs unencrypted traffic. Add them both and you will be able to do things such as:

http://mywordpress.cloudapp.net/some-post

https://mywordpress.cloudapp.net/wp-admin

At that point the FORCE_SSL_ADMIN should work for you to provide SSL to the wp-admin area and the rest of the site can be explicitly set by the user.

Ben

Dec 21, 2011 at 7:18 PM
Edited Dec 21, 2011 at 7:18 PM

Thanks Ben,

 

So you are suggesting setting it up like this?

 

 

<Site name="WebRole" physicalDirectory="./WebRole">
    <Bindings>
          <Binding name="Endpoint1" endpointName="HttpsIn" />
	  <Binding name="Endpoint2" endpointName="HttpEndpoint" />
    </Bindings>
</Site>

 

<Endpoints>
      <InputEndpoint name="HttpEndpoint" protocol="http" port="80" />
      <InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="mySSL" />
</Endpoints>

 

 

 

Cheers,

Houman

Editor
Dec 21, 2011 at 7:50 PM
Edited Dec 21, 2011 at 7:52 PM

Houman,

Yes, do not forget to upload the certificate before deploying your package as well. You will also need new entries in your config files. Similar to

.csdef

<Certificates>
    <Certificate name="chasebot.com" storeLocation="LocalMachine" storeName="My" />
</Certificates>

.cscfg

<Certificates>
    <Certificate name="chasebot.com" thumbprint="[CERTIFICATE THUMBPRINT]" thumbprintAlgorithm="sha1"/>
</Certificates>  

 

Staging and production share the certificate.

Cheers,

Ben

EDIT: You can find the thumbprint in the Portal after you upload the certificate

Dec 22, 2011 at 12:07 AM

Hi,

 

Ben, thanks a lot for the tips, it is working now. Yey.  So if you go to http://www.chasebot.com/ its http and when you click then on login, the login screen is in https.  So far its fantastic.

But now try http://chasebot.com/   it fails.  I think I know why.

In my domain DNS manager,

under CNAME --> www is forwarded correctly to chasebot.cloudapp.net  which works.

But under A (HOST) the @ -> points to the outdated IP.  

I could just fix this by entering the new IP from my production deployment on Azure and it would work. However if the VM crashes and is restarted, would it get new IPs assigned? Or does it only get new IP when deployment is created and not rebooted?

Cheers,

Houman

Dec 22, 2011 at 11:38 AM

Ben, Great news.

 

I had a chat with MS Support and they gave me this link:

http://blog.smarx.com/posts/custom-domain-names-in-windows-azure

MS reserves the rights to change the IP, even though 99% the IP remains the same when its in production.  Therefore its best not using Ip addresses.

The problem is that any subdomain like www can be pointed to the actual Azure site by using a CNAME.  However the root can't use CNAME. You have to use (A) HOST, which only accepts IP.  The trick is ignoring that and simply forwarding the entire root domain to the www subdomain, which in turn will be using the specified CNAME.

Now everything seems to work. Wow finally.  It took me 2.5 months getting everything sorted as I wanted it.  :)  The plugins and theme are also showing up now right away.  I will now set them up and redeploy the VM and see if the plugins are still setup correctly and have not lost their settings. :)   Same goes with Windows Azure Storage for WordPress as it needs to keep its settings once rebooted to make sure the media files can be accessed. 

Cheers,

Houman



Editor
Dec 22, 2011 at 5:48 PM

Houman,

Congrats!

I think you will find all the settings are there. They are stored in the database, not the instance.

Ben

Dec 22, 2011 at 8:23 PM
Edited Dec 22, 2011 at 8:24 PM

Hey Ben.  

 

Thanks mate. I have a shocking news though. I have setup  Windows Azure Storage for WordPress as expected. When I try to upload an image, I get the error message 

Error saving media attachment.

A google search suggests that many people seemed to have it and it might be because there is no write privilege. They say i hsould creat ethe "upload" folder myself through FTP. But we dont have this kind of things on Azure lol.  My "wpsync" container on Blob has public access and the plugin should be setup correctly as you see in the screenshot below. What could be wrong?

Darn so close and still problems....

Dec 22, 2011 at 9:27 PM

Ben, 

 

I just have deactivated the Storage Plugin and I still can't upload any images. It must be something else...

Darn...

Dec 23, 2011 at 11:03 AM

I have created a complete new package from scratch, dropped all tables in the database and this time i didn't enable the SSL for Admin. Its the same problem.

Trying to narrow down the problem.  Some claim its the access privilege on the folder. Thats a the pretty blocker, still investigating...

Editor
Dec 23, 2011 at 4:49 PM

Houman,

It probably is file permissions. The quickest way to check is to simply RDP in and change the permissions.

You may need to put a line similar to the following in one of your startup scripts:

CALL icacls ..\wp-content /grant "NETWORK SERVICE":F /T

Cheers,
Ben

Dec 24, 2011 at 1:10 AM

Thank Ben.

It works :)

I have changed "NETWORK SERVICE" to my custom AppPool, as in IIS 7.5 the permissions are Apppool driven to keep it more secure. If the role is compromised, the attacher still can't access the entire network and see only the files under the compromised Apppool control.

Instead of Full control, W (write-only) works as well.

I am just a bit surprised why this folder needs privileges like this. 

e.g. in Setting -> Media -> Store uploads in this folder: if I put any other folder than 'wp-content/uploads' without having given permission to 'wp-content/uploads' in first place, it still would fail.  Weird weird. But it does the job :)

Hopefully that was the last blocker. :)

Merry Christmas my friend,

Houman