.htaccess settings for securing panel with SSL

I’m trying to implement the HTTPS suggestion from the security page for my panel. The .htaccess rules are defeating me though. Does anyone have any tips on what that rule would generally look like, and where it would go?

This is what I have so far, that would replace this section of the default rules, but it’s not redirecting properly. Also, I’m running in a subdirectory on the server.

# make panel links work
RewriteCond %{HTTPS} !=on 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^panel/(.*) https://example.com/subdirectory/panel/index.php [L]

The front-end of the site still works fine. Thanks for any guidance.

Do you have access to your apache conf files? Using the .htaccess file is only your second best option.

I don’t think you need to touch the original panel rewrite rules, and just add this bit at the top (but not tested):

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

See here: https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

1 Like

Unfortunately I can’t get into the apache conf files.

Thanks for the wiki reference. I tried adding those 2 directives above and below my RewriteBase rule and it kept sending me to the root directory (above my kirby install).

When I have been able to get something to work, sometimes the images won’t load, and the CSS will never load. I imagine this has something to do with blocking resources that come from http instead of https?

I’ll keep testing… but if you have any more ideas…

Thank you.

Have you tried with to set this only for the subdirectory?

RewriteRule ^/?subdirectory/(.*) https://%{SERVER_NAME}/subdirectory/$1 [R,L]

I did. That worked better, but I’m getting mixed content errors for the CSS and JS assets:

Mixed Content: The page at ‘https://example.com/panel/’ was loaded over HTTPS, but requested an insecure stylesheet

Hm. Normally Kirby should detect the protocol automatically and load the assets via HTTPS as well. You could try setting the url option.

How are these assets loaded, via the js/css helpers?

Thanks for the url idea. I’m wondering if the complication is arising from the fact that I’m running everything in a subdirectory–kirby and the whole site.

Yes, I’m using the asset helper. My js script is as follows:

<? echo js('/assets/js/scripts-min.js') ?>

You should remove the leading slash to make the URL relative to your site.

Thanks Lukas. I did that, but no difference.

Finally looked at my site > config file so I could set the url like you suggested. I found some old code in there I had left from when I was trying to get my installation of Kirby running in a subdirectory. This was the bad code:

c::set('url', 'http://example.com/subdirectory');

So I was forcing it to go back to http. Unbelievable. Thanks for all your help!!!

You are welcome.

For other users: You should first try deleting the url config value. Only set it if you need it. :wink:

FWIW, here are the htaccess rules that worked for me. I’m running the entire site in a subfolder.

RewriteEngine on

# make sure url not already https
RewriteCond %{HTTPS} !=on

#  send panel traffic to https and the subfolder
RewriteRule ^/?panel/(.*) https://%{SERVER_NAME}/mySubfolderName/panel/$1 [R,L]

# rewrite base
RewriteBase /mySubfolderName


And I have this in my appropriate config file:

c::set('subfolder', 'mySubfolderName');
1 Like