I had some fun getting all the above working, but got there in the end. You will need Apache with mod_ssl installed and working before you start. I am also not going to go into the requirements for Gallery2 – ImageMagick, etc – that’s not the purpose of this post.
Install WordPress, follow the installation instructions and script until you have an operational WordPress installation. Configure Permalinks in the settings of WordPress (I use /%year%%monthnum%%day%/%postname%). My wordpress is at blog.simonandkate.net (as you know as you are here), so this page will be at
NameVirtualHost 192.168.xxx.xxx:80 <VirtualHost 192.168.xxx.xxx:80> DocumentRoot /path/to/wordpress ServerName blog.simonandkate.net <Directory /path/to/wordpress> allow from all AllowOverride FileInfo Options </Directory> </VirtualHost>
Once WordPress is up and running install one of the WordPress security plugins and follow its recommendations for locking down the files and directories. I also recommend that you follow basic sensible Apache security tightening such as tightening access to the / directory, etc. Google Apache security. This isn’t a bad starting place – http://www.petefreitag.com/item/505.cfm.
Note that you need the AllowOverride directive as WPG2 uses the .htaccess file to manage redirects. Without the AllowOverride directive Apache will ignore any .htaccess file.
At this point you should have a fully functional WordPress installation. However if you go to your admin page (…/wp-admin/) and logon, your credentials will be transmitted in clear text to the web server. Not ideal, but we’ll get to that later.
Set up a new VirtualHost in Apache for gallery2, something like this (again, extraneous and security lines removed):
<VirtualHost 192.168.xxx.xxx:80> DocumentRoot /path/to/g2 ServerName gallery.simonandkate.net <Directory /path/to/g2> allow from all AllowOverride FileInfo Options </Directory> </VirtualHost>
Install gallery2, again following the scripts and installation instructions, and get that working properly. Don’t configure URL Redirects, as WPG2 will break them anyway. My gallery is at gallery.simonandkate.net, so once you have finished your config.php in the gallery2 directory should have a line like this:
Confirm all is good in the gallery2 world, and that you can add photos, etc. Note again that logging in to Gallery is http, so no encryption of credentials yet.
Lock down the gallery2 directories as you see fit with file access permissions – again there are plenty of google-able articles out there on this, and I’m not going to publish here what I have done to mine…
Install WPG2 plugin for WordPress. This is pretty simple to install. You may need to create a …/wordpress/.htaccess file for it to play with for its redirects. Again, get that working fully. Test that you can add pictures in a new post, and that the wpg2 page on your blog’s homepage links successfully to the gallery (you’ll notice it links via a http://blog… address rather than the native http://gallery… address. This is the way it’s supposed to work, and also means that later on we can serve up public access photos using http through the blog URL rather than the enforced SSL we are going to apply to Gallery2. More on that soon…).
So at this point, everything should be working – WordPress, Gallery, WPG2.
Now get yourself a wildcard certificate for your websites. I say wildcard, because this is the only way you will be able to host multiple SSL sites on the same IP address using VirtualHosts and host headers to differentiate. So, my certificate is for *.simonandkate.net, thus covering gallery.simonandkate.net and blog.simonandkate.net. How you do this is up to you. OpenSSL is a good starting place.
Setup 2 new Virtual Hosts in Apache, under a new NameVirtualHost of 192.168.xxx.xxx:443 (again, various bits removed).
<VirtualHost 192.168.xxx.xxx:443> DocumentRoot /path/to/g2 ServerName gallery.simonandkate.net <Directory /path/to/g2> allow from all AllowOverride FileInfo Options </Directory> SSLEngine on SSLCertificateFile /path/to/server-cert.pem SSLCertificateKeyFile /path/to/server-key.pem </VirtualHost>
<VirtualHost 192.168.xxx.xxx:443> DocumentRoot /path/to/wordpress ServerName blog.simonandkate.net <Directory /path/to/wordpress> allow from all AllowOverride FileInfo Options </Directory> RewriteEngine On RewriteRule !^/wp-admin/(.*) - [C] RewriteRule !^/wp-login.php(.*) - [C] RewriteRule !^/wp-content/(.*) - [C] RewriteRule ^/(.*) http://blog.simonandkate.net/$1 [QSA,L] SSLEngine on SSLCertificateFile /path/to/server-cert.pem SSLCertificateKeyFile /path/to/server-key.pem </VirtualHost>
Note the Rewrite rules in the WordPress section. They tell WordPress to rewrite https requests for all pages except wp-admin, wp-login.php and wp-content to be http requests. In wp-config.php file you will also need to have the following lines:
define('AUTH_KEY', 'Long key in here$ define('SECURE_AUTH_KEY', 'Here too$ define('LOGGED_IN_KEY', 'And here$ define('NONCE_KEY', 'And finally here...$ define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true);
Backup the file before modding it so you can fall-back. Restart Apache. Apache will complain about having multiple SSL VirtualHosts on the same address:port combination, but don’t worry, it’s a warning only, it won’t stop anything, and as we are using a wildcard certificate, secure browsing will work properly.
Browse to the blog home page. It should be using http. If you now browse to http://blog-address/wp-admin it should now bounce you to use https. If you are using self-signed certificates you will now get a certificate error, unless you have imported the CA certificate into your browser. Again, separate issue for another day…
Login. Make sure that you can access everything fine in WordPress, with admin and login pages being bounced to https, everything else to http.
Gallery2’s support for SSL is a lot less refined – you have to force everything through SSL (there are possibly other ways, but not that I could find without going to a LOT of effort). To do that, you’ll need the VirtualHost we’ve configured above, and change your config.php in the gallery2 directory to something like this:
Browsing to gallery.address.net should now push you to https, and the gallery should now be entirely operative under https.
In the rewrite rules above I had to add a line that said:
RewriteRule !^/wp-content/(.*) - [C]
This was so that the WPG2 plugin could successfully work from WordPress and see the gallery pictures using the ‘add pictures’ toolbar button in WordPress.
One thing you will note is that because WPG2 accesses the Gallery via http://blog-address/wpg2, it can serve up pictures you post in WordPress using http. If you navigate to Gallery natively rather than via WPG2 you get shunted into https.
One thing I need to check is how WPG2 passes logon credentials to Gallery in this scenario… as we are https encrypting wordpress/wp-content files (where wpg is located) that bit is fine, but as it calls to gallery2 using http I’m not sure about that bit…
1. Make sure you do Gallery2 admin tasks from https://gallery… rather than the WPG2 redirect pages – some tasks fail in the redirect.
2. I noticed that if you put manually http://gallery.simonandkate.net/main.php, i.e. go directly to the main.php instead of via the main server URL, you can stay in http instead of https. To prevent this, I put a single line redirect in the port 80 http VirtualHost section of httpd.conf:
RedirectPermanent /main.php "https://gallery.simonandkate.net/"
This intercepts any requests to do this and shunts them to https. Direct links to a pic using http, i.e. http://gallery.simonandkate.net/main.php?g2_itemId=150, will also get thrown to the correct https URL.
3. I discovered some errors in Gallery2 that would appear to be related to the use of https. The errors appear in Apache logs as follows:
PHP Fatal error: Class 'GalleryTranslator' not found in /path/to/g2/modules/core/classes/GallerySession.class on line 780, referer: ...
The problem is described here – http://gallery.menalto.com/node/82238 – and is related to the GalleryTranslator.class. I backed up the original GallerySession.class and followed the fix in that post, and it has fixed the errors. Fix is inserting the following line:
Above the line that calls GalleryTranslator. That line reads:
list ($ret, $detectedLanguageCode) = GalleryTranslator::getDefaultLanguageCode();