Wordpress compromised but I do not know how - wordpress

today my Wordpress site was compromised so now serve a JS script that redirect to SPAM site.
I looked inside the Apache logs to reconstruct what happened, but i can't know how to interpretate this:
xx.xx.xx.xx - - [09/Jan/2017:10:24:42 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:42 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "POST /wp-login.php HTTP/1.1" 302 4 "/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "POST /wp-login.php HTTP/1.1" 302 4 "/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:44 +0100] "GET /wp-admin/ HTTP/1.1" 302 4 "http://my.host.name/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:44 +0100] "GET /wp-admin/ HTTP/1.1" 200 219966 "/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:47 +0100] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 183974 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:48 +0100] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen HTTP/1.1" 500 3427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:49 +0100] "GET /wp-admin/theme-install.php?upload HTTP/1.1" 200 161448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
As you can see somebody has tried to login, but he can't. But after two simple GET request to "/wp-admin/" seems to be logged in and he able to modify and install new theme.
At this point I have tried to find differences between the wp-admin directory that is present on the server with the original one downloaded from the official site wordpress.org, but i didn't find any differences.
I compared all file present into wp-admin with "diff" utility and i can't find any difference. For example:
diff /var/www/html/original.wordpress/wp-admin/themes.php /var/www/html.hacked/wp-admin/themes.php didn't output any code
Could you help me to find evidence?


Looks like your exploit happened here:
/wp-admin/theme-install.php?upload
Make sure your themes and plugins are updated. That last request returned a 200 response from your webserver to the attacker, and was likely used to upload a backdoor. I'd audit the contents of /wp-content/uploads/ to see if there are any out of place PHP files (backdoor shells) in there. If so, it's possible they used that to pivot within your site, so there may be other directories containing PHP backdoors elsewhere.

Related

How to get proper information about user agent in nginx log?

I've used Nginx docs and set access log format.
https://docs.nginx.com/nginx/admin-guide/monitoring/logging/
access_log /var/log/nginx/access.log;
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
When I access the site using Firefox I get the following log:
192.168.xx.xxx - - [13/Apr/2021:14:52:16 +0200] "GET /home HTTP/1.1" 200 21408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0"
But when I access the site using Chrome or Opera I get following logs:
Opera:
192.168.xx.xxx - - [13/Apr/2021:14:53:19 +0200] "GET /me HTTP/1.1" 200 24062 "https://my-site.com/me" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 OPR/64.0.3417.92"
Chrome:
192.168.xx.xxx - - [13/Apr/2021:15:06:56 +0200] "GET /me HTTP/1.1" 200 115426 "https://my-site.com/me" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"
Did I properly set my Nginx logging configuration?

nginx reverse proxy worked on LAN but not public

I am setting up a Nginx reverse proxy using these docker images
nginx
jwilder/docker-gen
jrcs/letsencrypt-nginx-proxy-companion
The host where these containers are located is given public IP address so that the web app can be accessed from the internet. We registered the subdomain and set the public IP address to that subdomain.
When I test the configuration, the web app worked and https also worked but from LAN only (we have local DNS server that has the subdomain paired to a local server IP address.
But when I tried accessing it from internet it gives 301 redirected too many times. And yes I saw in the Nginx log the server logged around 20s 301 redirections and then stopped.
I am still clueless about what is wrong with the configuration. I used this template https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl for the auto-generated configuration files with a little modification in the location part (proxy_connect_timeout, proxy_send_timeout, proxy_read_timeout, proxy_send_lowat) to make our web app not 502 gateway timeout from long processing.
Can anyone point where my configuration failed?
# fhij.abcd.co.id
upstream fhij.abcd.co.id {
## Can be connected with "nginx-proxy" network
# fhid_web_1
server 172.20.0.8:8069;
}
server {
server_name fhij.abcd.co.id;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name fhij.abcd.co.id;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/fhij.abcd.co.id.crt;
ssl_certificate_key /etc/nginx/certs/fhij.abcd.co.id.key;
ssl_dhparam /etc/nginx/certs/fhij.abcd.co.id.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/fhij.abcd.co.id.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://fhij.abcd.co.id;
proxy_connect_timeout 9990;
proxy_send_timeout 9990;
proxy_read_timeout 9990;
proxy_send_lowat 12000;
}
}
These are the access.log I got from accessing from internet
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:42 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:45 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:45 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
And these are from LAN
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET / HTTP/2.0" 303 215 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web HTTP/2.0" 303 227 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/login HTTP/2.0" 200 4383 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/content/269-ceb8fb1/web.assets_common.0.css HTTP/2.0" 499 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/content/276-771d39e/web.assets_frontend.0.css HTTP/2.0" 499 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/webclient/qweb?mods= HTTP/2.0" 304 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "POST /web/webclient/bootstrap_translations HTTP/2.0" 200 87 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
Why it is so different? Nginx response to internet request was 301 and response to LAN was 303

Turned out there is a mistake in our Cloudflare DNS and WAF configuration. Modifying these configuration fixed this issue.

Nginx redirect except some extensions

I wrote a script that configures a captive portal and everything is working fine. The problem I'm having is because nginx is redirecting all the requests to http://hotspot.localnet/index.php is also redirecting all requests for images. So none of the images in index.php work.
Is there a way to exclude png,pdf files from being redirected to index.php and be displayed? Tried many regex examples found on the internet but having no luck.
The source code of the nginx config file is here: https://github.com/tretos53/Captive-Portal/blob/master/default_nginx
This is access.log with the above configuration:
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /index.php HTTP/1.1" 200 582 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /images/1.jpg HTTP/1.1" 302 161 "http://hotspot.localnet/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /images/2.png HTTP/1.1" 302 161 "http://hotspot.localnet/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /images/3.png HTTP/1.1" 302 161 "http://hotspot.localnet/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /images/4.png HTTP/1.1" 302 161 "http://hotspot.localnet/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /images/5.png HTTP/1.1" 302 161 "http://hotspot.localnet/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"
192.168.137.1 - - [03/Dec/2018:19:53:16 +0000] "GET /images/6.png HTTP/1.1" 302 161 "http://hotspot.localnet/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"

Add this to your config:
location ~ \.(?:pdf|png)$ {
try_files $uri =404;
}

WooCommerce-WorldPay checkout taking forever to complete

I've been having trouble getting the Online Worldpay plugin (from https://wordpress.paymentplugins.com/product-category/worldpay/) to work with WooCommerce and after multiple trial and error, although it seems to be working now, it's taking forever to complete a transaction.
The first issue was this in the server log:
upstream timed out (110: Connection timed out) while reading response header from upstream
After searching on SO and a few trial and error, adding the following nginx directives seem to have fixed it:
proxy_connect_timeout 159s;
proxy_send_timeout 600;
proxy_read_timeout 600;
However it's still not fixed the problem. It's taking up to 5 minutes between clicking checkout and showing the confirmation page.
Here's my server log:
xxx.xxx.xxx.xxx - - [29/Aug/2018:11:51:40 +0100] "POST /staging/wp-
admin/admin-ajax.php HTTP/1.0" 200 1140 "https://website.com/staging/wp- admin/edit.php?post_type=shop_order" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
xxx.xxx.xxx.xxx - - [29/Aug/2018:11:49:02 +0100] "POST /staging/?wc- ajax=checkout HTTP/1.0" 200 1522 "https://website.com/staging/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
xxx.xxx.xxx.xxx - - [29/Aug/2018:11:53:17 +0100] "GET /staging/checkout/order-received/1001?key=wc_order_5b867a1e36616 HTTP/1.0" 301 4616 "https://website.com/staging/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
xxx.xxx.xxx.xxx - - [29/Aug/2018:11:53:17 +0100] "GET /staging/checkout/order-received/1001/?key=wc_order_5b867a1e36616 HTTP/1.0" 200 77776 "https://website.com/staging/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
xxx.xxx.xxx.xxx - - [29/Aug/2018:11:53:18 +0100] "GET /staging/wp-content/uploads/2018/08/fromUpload/37124872560_f78336501a_k-3-1024x485.jpg HTTP/1.0" 200 491 "-" "-"
xxx.xxx.xxx.xxx - - [29/Aug/2018:11:53:18 +0100] "GET /staging/wp-content/themes/website/functions/includes/im_cart_order.php?path=https://website.com/staging/wp-content/uploads/2018/08/fromUpload/37124872560_f78336501a_k-3-1024x485.jpg&crop_left=26.329113924050635&crop_top=0&crop_width=47.34177215189874&crop_height=100&rotate=0&filter=0&mirror=0&flip=0 HTTP/1.0" 200 59870 "https://website.com/staging/checkout/order-received/1001/?key=wc_order_5b867a1e36616" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
Appreciate any insight :)
Thanks!

how to make proxied wordpress page not to change typed url

I am using apache rewriterule to redirect url when client SSL certificate is not used. When I am redirecting to static page using [P] proxy flag, everything work as expected. But if I change redirection to page in wordpress, typed url disapeared and there is wordpress page permalink. I want to leave unchanged typed url in address bar, just to be able to use reload after connecting to VPN or using correct certificate.
RewriteRules as used in virtual host conf.
# SSL User Authentication
SSLVerifyClient optional
SSLVerifyDepth 3
# redirect all url when not in VPN or LOCAL NET
#RedirectMatch ^/(.*) http://terminus.terminus.cz
# to be able to debug rewrite in apache2 error log
LogLevel alert rewrite:trace6
# Error handling = unsuccessfull SSL user authetication
RewriteEngine on
Options +FollowSymLinks
Options +SymLinksIfOwnerMatch
# No authentification certificate
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteCond %{HTTP_HOST} ^trading\.terminus\.cz$ [NC]
# RewriteCond {HTTP_REFERER} value is blank
RewriteCond %{HTTP_REFERER} ^$
RewriteRule ^ http://terminus.terminus.cz/no_ssl_client_certificate.htm [L,NE,P,E=ssl_authentication_error_detected:1]
# RewriteRule show typed domain name, proxying to other domain, same query
#RewriteRule ^ http://terminus.terminus.cz%{REQUEST_URI} [L,NE,P,E=ssl_authentication_error_detected:1]
# RewriteCond {HTTP_REFERER} value is not blank
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteCond %{HTTP_HOST} ^trading\.terminus\.cz$ [NC]
# RewriteRule show typed domain name, proxying to other domain, same query
RewriteRule ^ http://terminus.terminus.cz%{REQUEST_URI} [L,NE,P,E=ssl_authentication_error_detected:1]
When I change proxied url to
RewriteRule ^ http://terminus-dev.terminus.cz/index.php/no_ssl_certificate [L,NE,P,E=ssl_authentication_error_detected:1]
It starts to changing typed URL in address bar to wordpress permalink, so [P] flag does not work expected way.
And from wordpress virtual host access log
37.48.19.237 - - [19/Jul/2016:09:28:42 +0200] "GET /index.php/no-ssl-certificate/ HTTP/1.1" 200 17126 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-includes/js/wp-emoji-release.min.js?ver=4.5.3 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-content/plugins/theme-my-login/theme-my-login.css?ver=6.4.5 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-content/plugins/wp-filebase/wp-filebase.css?t=1467256824&ver=3.4.4 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-content/plugins/llorix-one-companion//css/style.css?ver=4.5.3 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-content/plugins/wordpress-social-login/assets/css/style.css?ver=4.5.3 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-content/themes/llorix-one-lite/css/font-awesome.min.css?ver=4.4.0 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:43 +0200] "GET /wp-content/themes/llorix-one-lite/css/bootstrap.min.css?ver=3.3.1 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-content/themes/llorix-one-lite/style.css?ver=1.0.0 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-content/themes/llorix-one-lite/js/bootstrap.min.js?ver=3.3.5 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-content/themes/llorix-one-lite/fonts/fontawesome-webfont.woff?v=4.5.0 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-content/themes/llorix-one-lite/js/custom.all.js?ver=2.0.2 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-content/themes/llorix-one-lite/js/skip-link-focus-fix.js?ver=1.0.0 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
37.48.19.237 - - [19/Jul/2016:09:28:44 +0200] "GET /wp-includes/js/wp-embed.min.js?ver=4.5.3 HTTP/1.1" 304 - "http://terminus-dev.terminus.cz/index.php/no-ssl-certificate/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"

The redirect_canonical filter is responsible for url rewriting. So there is possibility to selectively disable this depending on the requested page.
Solved by placing following code to theme function.php
function ssl_certicate_pages_disable_canonical_redirect( $query ) {
if( 'no_ssl_certificate' == $query->query_vars['pagename'] )
remove_filter( 'template_redirect', 'redirect_canonical' );
if( 'wrong_ssl_certificate' == $query->query_vars['pagename'] )
remove_filter( 'template_redirect', 'redirect_canonical' );
}
add_action( 'parse_query', 'ssl_certicate_pages_disable_canonical_redirect' );

Resources