The march toward SSL everywhere continues. While this would have been just about impossible before 2004 due to the one IP per SSL certificate restriction and a dwindling pool of IP4 addresses, a new TLS protocol extension has made it possible to serve multiple SSL certificates from the same IP address. If you're running a Wordpress Multisite network, this is music to your ears.
Server Name Indication allows for the client browser to relay which domain it's trying to reach on the server during the HTTPS handshaking process. This lets the server dynamically fetch the certificate that matches the hostname the browser is looking to connect to. Cloudflare has taken this feature a step further and has implemented Universal SSL at the proxy level, for free. By combining Cloudflare with some self-signed certificates on the server, you can achieve SSL on your mapped domains under Wordpress Multisite.
To start, you need a Wordpress Multisite network of course. See the guide here for creating one if you don't have one already. You'll also (for this scenario) need to have your domain nameservers running through a free Cloudflare account.
Next, you need a domain mapping plugin. This allows you to take a single domain Multisite network using subdomains and map the local site path to an external domain name. We use the $19 WPMUDEV Domain Mapping plugin, but you can use the older, and free, Wordpress MU Domain Mapping plugin.
For the new domain (newdomain.com) you want to map, log into Cloudflare and set the main DNS A record for the domain to the IP address of the Multisite network. Also ensure that the record is routed through the Cloudflare proxy if you want free SSL.
You can also enable Universal SSL while you're at it, probably in Flexible mode at first.
Create your new site on your Wordpress network using a unique subdomain, for example site2.primarydomain.com. If you primary domain DNS has a wildcard record for subdomains pointing to the primary IP, you should automatically be able to access this new site using the subdomain address. The next step is to map the new top level domain - newdomain.com - to the subdomain's site.
With your domain mapping plugin active on the network, map your new site (site2.primarydomain.com) to your external top level domain (newdomain.com).
Now, depending on your server hosting configuration, if a request hits the primary domain vhost with the external domain name of newdomain.com, Wordpress will translate that request into the local site2.primarydomain.com install and respond to the external domain transparently.
Adding SSL into the mix gets a bit tricky. It took me a lot of experimentation to get it quite right using Full SSL. The way that I was able to accomplish this was with the following settings:
- Cloudflare Nameservers
- Cloudflare SSL enabled
- Vhost alias newdomain.com -> primarydomain.com
- SSL with SNI enabled on primarydomain.com
- Self-signed certificate on primarydomain vhost for *.primarydomain.com
- Force all traffic to HTTPS via plugin
Due to the variety of server configuration tools out there it's tough to get into specific steps for these tasks.
Something to note is that the Cloudlfare SSL won't kick in immediately if you're just setting up your domain for the first time in Cloudflare. If you're getting browser security warnings or HTTPS rejections, you may just need to wait an hour or so for the certificates to be issues properly.
If all goes well, you'll be able to provide SSL on a single IP across all of your multisite blogs in Wordpress, even on external domains.