SSL Termination working, but page missing CSS

Hello,

I didnt find anything in my searches for the past hour so here I am asking for help. Please let me know what information you want besides below.

So I have HAProxy running on an Ubuntu20.04 server and its doing SSL offload and hitting a CentOS7 box running CentOS Webpanel with a few internal webpages running on it (2 plain HTML, 1 Wordpress). These webpages are only served over HTTP so that is how the backend is configured to reach them.

The good news is SSL offload is working and the sites load up. And this is were I hit a snag. The Wordpress site is missing all CSS formatting and template backgrounds. Even on default template. I dont have this problem on my home test setup so I am really stumped.

Any tips?

Config (anonymized)

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-C>
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend domainabc_urls
bind 10.0.0.10:80
bind 10.0.0.10:443 ssl crt /etc/ssl/wildcard.pem
http-request redirect scheme https unless { ssl_fc }
acl FIRST_URL hdr_dom(host) -i testing.domainabc.com
acl FIRST_URL hdr_dom(host) -i intratest.domainabc.com
acl FIRST_URL hdr_dom(host) -i intranet.domainabc.com
use_backend webhost-1 if FIRST_URL

backend webhost-1
mode http
cookie iaserverused insert indirect nocache
default-server maxconn 200
server server1 10.0.0.134:80 cookie server1

listen stats
bind *:8404
stats enable
stats uri /monitor
stats refresh 5s
stats auth admin:iapassword

Snip of format issue:
Capture

Any help would be greatly appreciated!

Thank you,
Matt R.

Okay so I was able to fix my problem. It was a mix of HAProxy config and WordPress config.

This site is what helped me: Wordpress behind HAProxy with TLS termination – oxcrag.net

But here is also the pertinent information:

In the HAproxy Frontend rule you want to add the following:

option http-server-close
http-request set-header X-Forwarded-Proto if { ssl_fc }

So now my Frontend looks like this:

frontend domainabc_urls
bind 10.0.0.10:80
bind 10.0.0.10:443 ssl crt /etc/ssl/wildcard.pem
option http-server-close
http-request set-header X-Forwarded-Proto if { ssl_fc }
http-request redirect scheme https unless { ssl_fc }
acl FIRST_URL hdr_dom(host) -i testing.domainabc.com
acl FIRST_URL hdr_dom(host) -i intratest.domainabc.com
acl FIRST_URL hdr_dom(host) -i intranet.domainabc.com
use_backend webhost-1 if FIRST_URL

On top of that you need to edit the wp-config.php in the root of your wordpress instance to include this:

define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);
if (_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') _SERVER[‘HTTPS’]=‘on’;

NOTE: that the above has to be before the following (tail of config)

/* That’s all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( ‘ABSPATH’ ) ) {
define( ‘ABSPATH’, dirname( FILE ) . ‘/’ );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . ‘wp-settings.php’ );