Forced SSL leads to 404 page at "index.php"

security

#1

I’m building a portfolio site for our design studio with Kirby and I have a small problem with forcing SSL.

I have tried addingc::set('ssl',true); to my config

I have also tried adding the following to my .htaccess file.

# add SSL
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

I’m able to force HTTPS just fine, as long as the entry point is the root of the site (for example, new.company or http://new.company)

However, when you type any of the subpages with http:// it redirects to index.php, which generates a 404 error. (For example, http://new.company/work or http://new.company/about)

This is an admittedly small edge case (i don’t expect anyone to type http://new.company/work) I do think it looks weird that it sends you to index.php, and that what is presumably the index page results in an error.

Is there any reason why the code I am using above does not simply add https:// do the existing URL and is instead changing it to index.php?


#2

This is an example from the kirby-secrets repo (www to non-www and http to https). You could test if this works for you.

RewriteCond %{HTTP_HOST} !=localhost
RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L,NE]

There is no SSL option in Kirby 3 anymore, and I’m not sure regarding the c::set() syntax, anyway.

If you have access to the server config, I’d do this in the Virtual Host configuration rather then the .htaccess. On shared hosting, that is of course not possible.

What is your environment/hosting?


#3

I’m using this rule with Kirby 3 just fine on my portfolio site…and @texnixe just beat me to it…

RewriteCond %{HTTP_HOST} !=localhost
RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L,NE]

Place it immediately after RewriteEngine on


#4

I’m using shared hosting.

I’ve replaced the .htaccess code with the one posted above, but then I get a server error “too many redirects”.

This is the code provided by dreamhost to force SSL, which I am now using.

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

It’s worth noting that this is only the case for URLs that are real. So things like http://new.company/fakepage function correctly. I’ll just have to hope that people aren’t manually typing http:// and a “real” url.