I am facing a challenge with my WordPress site, which is hosted on Nginx running on Windows Server 2012 R2. I want to enable HTTPS on specific pages like /cart/, /my-account/, and /checkout/, but all the resources are still being loaded over HTTP, resulting in mixed content warnings and affecting the page's CSS and JS.
Even after trying to change the site address settings in WordPress from HTTP to HTTPS, the issue persists. Now, the entire site is attempting to load over HTTPS, which is not what I intended. Despite researching extensively on Google and various tutorials on setting up Nginx with SSL, most of them focus on securing the whole site or non-WordPress paths.
In my development environment, I have successfully used a self-signed SSL for non-WordPress pages (plain HTML files). However, testing on the production server with a purchased SSL certificate also works fine.
Therefore, my question is: Can I configure WordPress and Nginx to serve only certain pages via HTTPS while the rest remain on HTTP, including CSS, JS, and images?
I have set up two server blocks for HTTP and HTTPS, along with configurations for PHPMyAdmin and JWPlayer self-hosted JS library to play Wowza streams. The site runs smoothly on HTTP without any issues so far.
For my complete Nginx configuration, refer to this link: https://pastebin.com/2ZzmDgDR
Below is the code snippet from self-signed-ssl.conf:
# From https://cipherli.st/
# And https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_certificate C:/nginx/ssl/server.crt;
ssl_certificate_key C:/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# ssl_dhparam C:/nginx/ssl/dhparam.pem;