I have a WordPress running in a load balancer scheme with two instances. For security reasons, i’ve decided to block wp admin access from the public url and allowing it from one of the instances.
Using the application instance URL as the value of the WP_HOME variable causes each call to the wp-json REST API, either by wp-admin to save the publication or by the gutenberg editor to make use of the block editor, to persist in the database the reference of instance URL and not the URL of the application itself. To solve this problem I came up with the following solution:
//basically use IP/URL instance allowing me to acces instance1.server/wp-admin
define('WP_SITEURL','http://'. $_SERVER['HTTP_HOST']);
//every wp-json call inside wp-admin goes http://mywebsite/wp-json,
//preserving URL inside texts, guid's and references like that
define('WP_HOME','http://'. mywebsite);
The problem is that using it this way, I get a CORS error where http://instance1.server is not allowed to access http://mywebsite/wp-json. I used all possible settings to disable CORS for the instance address but without success. The main mistakes are:
Access to fetch at
‘http://mywebsite/wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user’
from origin ‘http://instance1.server’ has been blocked by CORS policy:
Request header field x-wp-nonce is not allowed by
Access-Control-Allow-Headers in preflight response.Access to fetch at
‘http://mywebsite/wp-json/wp/v2/blocks?context=edit&_locale=user’
from origin ‘http://instance1.server’ has been blocked by CORS policy:
Request header field x-wp-nonce is not allowed by
Access-Control-Allow-Headers in preflight response.
The closest solution to solving the problem was as describer in this website: https://thoughtsandstuff.com/wordpress-rest-api-cors-issues/
But after doing that, i started to receive an error like:
index.js?ver=61c1dd29ea09ae129423d3abff21d328:1 GET
http://mywebsite/wp-json/wp/v2/users/me?_locale=user 403
(Forbidden)
I have found solutions to problems involving third party applications that need to make remote calls to the WordPress REST API, but nothing related to my problem (wp-admin calling itself from another address)
Is there any way where I can access the wp-admin panel at the address of one of the instances (instance1.server/wp-admin) of the system, keeping the application url as WP_HOME (mywebsite) ?
Thanks in advance.