In a nutshell, I added my own function to general_tempalate.php called "getsslurl()" that I went through and used in several places instead of "get_option('siteurl'). My function looked like this:
function getsslurl() {
$tempurlstring = get_option('home');
$tempurlstring = str_replace("http", "https", $tempurlstring);
return $tempurlstring;
}
It looks like I modifified wp-login.php, admin-header.php, script_loader.php, themes.php, upload.php, upload-functions.php and wpmu_ldap_admin_functions.php (in the LDAP plugin I am using).
I changed the .htaccess file to do some different rewrites too. I need to go back and remove some of the ones that are redundant. I know some of these statements are never being used and are in fact redundant. I just haven't cleaned it up yet. Here is what is in my .htaccess:
RewriteEngine On
RewriteBase /
#uploaded files
RewriteRule ^(.*/)?files/$ index.php [L]
RewriteRule ^(.*/)?files/(.*) wp-content/blogs.php?file=$2 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
#DTaylor - had to do this to switch to https for wp-admin screens for users (i.e. /david_taylor/wp-admin and /david_Taylor/wp-admin/whatever.php)
RewriteCond %{HTTPS} off
#RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) https://%{HTTP_HOST}/$1$2 [L]
#DTaylor - had to do this to switch to https for wp-admin screens for users (i.e. /david_taylor/wp-admin and /david_Taylor/wp-admin/whatever.php)
RewriteCond %{HTTPS} off
#RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ https://%{HTTP_HOST}/$1$2 [L]
#DTaylor - Needed this to fix problem of the style sheets not showing up for users on the admin screens on IE
# turns out it was trying to load the /david_taylor/wp-content/mu-plugins/ldap_auth.css and it needed a redirect
RewriteCond %{HTTPS} off
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-content/mu-plugins/.*) https://%{HTTP_HOST}/$1$2 [L]
#http://homepages.baylor.edu/wp-admin/login-page.css?version=wordpress-mu-1.2.3-2.2.1
RewriteCond %{HTTPS} off
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-admin/login-page.css/.*) https://%{HTTP_HOST}/$1$2 [L]
RewriteCond %{HTTPS} off
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-admin/images/.*) https://%{HTTP_HOST}/$1$2 [L]
RewriteCond %{HTTPS} off
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-admin/images/.*) https://%{HTTP_HOST}/$1$2
#These are the original RewriteRule lines. Leave 'em in for the non-SSL (NON wp-admin) hits (i.e. http://homepages.baylor.edu/david_taylor)
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
#added by DTaylor to redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Of course, this is all in addition to setting apache up to run SSL. You can find documents on that. Everything seems to work. In fact, most all of it worked without any of the code changes in Firefox and Safari. However, I had to make most of those coding changes to keep IE from squawking about mixed content (i.e. "this page contained secure and unsecure...blahblahblah). It seems that FF was OK with the rewrite. Oh well. Anyway, our security guru has checked it over and said everything looks great. I'm only getting a couple of those mixed content warnings (and only on IE) and it is down in they tinyMCE code. I think I'll just leave it alone for now. Good luck to anyone else that plans to do this. I think most of my frustration just came from my inexperience with Apache and SSL. Once I "got it" it wasn't that bad. Wordpress could easily (it seems to me) make it possible to run under SSL out of the box.