HTTPS breaking Panel

1

I’m setting up a project for a client and have hit a roadblock.

Tried to force HTTPS several ways (HTACCESS seemed most succesful/robust), and even though site functions and redirects correctly to HTTPS, the panel gives a 404.

Relatively new to Kirby, is there anything I need to define or amend beyond ‘ssl’ => true, in the config.php?

For context I had just set up server with SSL certificate from LetsEncrypt using CertBot and forced site wide HTTPS.

2

There is no such setting for Kirby 3, that setting only existed in Kirby 2.

Is the site already online? Could you post the link?

3

Site is here REDACTED

edit: also adding in that the aim is to force HTTPS and also non-www. Thanks!

4

Does the Panel work if you don’t enforce HTTPS? Since the site doesn’t have subpages, I couldn’t test if subpages work and thus if this is rather a problem with URL rewriting.

5

Yes, exactly, the panel works when removing HTTPS enforcements from HTACCESS …

With it on, /panel also seems to push to /home (still 404).

Any suggestions?

edit: I’ve temporarily removed relevant code I had put into HTACCESS and config.php

6

And what did you put into your .htaccess to enforce https/non-www? Could you please post the complete htaccess?

7

Change of tack. These rules added to server .config;

<VirtualHost *:80>
ServerName my.domain
Redirect permanent / https://my.domain/
</VirtualHost>

<VirtualHost _default_:443>
ServerName my.domain
DocumentRoot /var/www/html
SSLEngine On
...
</VirtualHost>

And this is to HTACCESS

# Kirby .htaccess

# rewrite rules
<IfModule mod_rewrite.c>

# enable awesome urls. i.e.:
# http://yourdomain.com/about-us/team
RewriteEngine on

# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder.
# Otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite
# Set the RewriteBase to:
#
# RewriteBase /mysite

# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /

# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]

# block text files in the content folder from being accessed directly
RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

# block all files in the site folder from being accessed directly
# except for requests to plugin assets files
RewriteRule ^site/(.*) index.php [L]

# Enable authentication header
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# block direct access to kirby and the panel sources
RewriteRule ^kirby/(.*) index.php [L]

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

</IfModule>

# compress text file responses
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

I can access and log into panel at http://www.domain/panel but not https

8

These https/non-www should be at the top of the htaccess after RewriteEngine on.

9

have moved here:

# Kirby .htaccess

# rewrite rules
<IfModule mod_rewrite.c>

# enable awesome urls. i.e.:
# http://yourdomain.com/about-us/team
RewriteEngine on

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder.
# Otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite
# Set the RewriteBase to:
#
# RewriteBase /mysite

# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /

# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]

# block text files in the content folder from being accessed directly
RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

# block all files in the site folder from being accessed directly
# except for requests to plugin assets files
RewriteRule ^site/(.*) index.php [L]

# Enable authentication header
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# block direct access to kirby and the panel sources
RewriteRule ^kirby/(.*) index.php [L]

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

</IfModule>

# compress text file responses
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

Still no joy

10

Hm, I don’t know. These were the rules someone suggested in the past:

RewriteCond %{HTTP_HOST} !=localhost
RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L,NE]

But if you have access to the server configuration anyway, you might as well set up a Virtual host for www and do the rewrite there.

11

I’ve udpated HTACCESS to:

# Kirby .htaccess

# rewrite rules
<IfModule mod_rewrite.c>

# enable awesome urls. i.e.:
# http://yourdomain.com/about-us/team
RewriteEngine on
RewriteCond %{HTTP_HOST} abroad\.studio [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://abroad.studio/$1 [R,L]

# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder.
# Otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite
# Set the RewriteBase to:
#
# RewriteBase /mysite

# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /

# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]

# block text files in the content folder from being accessed directly
RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

# block all files in the site folder from being accessed directly
# except for requests to plugin assets files
RewriteRule ^site/(.*) index.php [L]

# Enable authentication header
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# block direct access to kirby and the panel sources
RewriteRule ^kirby/(.*) index.php [L]

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

</IfModule>

# compress text file responses
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

HTTPS getting forced, non-www not being enforced (ugh) but still getting this on /Panel

# Not Found

The requested URL was not found on this server.

Apache/2.4.29 (Ubuntu) Server at www.abroad.studio Port 443

very frustrating !

12

Which config file do you recommend I put this?

13

Not config, htaccess, as I said, that was something suggested in the past. But htaccess rules that work on one server don’t necessarily work on another. Therefore this needs a bit of testing what works and what does not.

What about my second suggestion?

14

To set up virtualhost and redirect there? If there is a chance this might resolve the issue then might have to.

Any idea why the rest of the site might work on HTTPS but the panel doesn’t?

15

Another thing you can try is set the url in config.

16

Tried that earlier, and again now — seems to break the whole site.

Blank page not 404 though.

17

Setting the url in config should break the site.

Anyway, need to stop for tonight and get some sleep.

18

Ok, likewise, thanks for your help tonight.

Any other thoughts on what might be causing the issue very welcome.

19

You do not need any rewrite rules for https in .htaccess if you enforce redirection in your server config like you do. Furthermore I would write it like so:

<VirtualHost YOUR_IP:80>
ServerName abroad.studio
RedirectPermanent / https://abroad.studio/
</VirtualHost>

<VirtualHost YOUR_IP:443>
ServerName abroad.studio
DocumentRoot /var/www/html
SSLEngine On
...
</VirtualHost>

With redirection in server config your webserver will enforce everything to https even before he will know what exactly is at the document root, and therefore even before .htaccess file is evaluated.

20

SOLUTION Added @Adspectus rules + a directory listing to 443 config

<VirtualHost *:80>
     ServerName my.domain
     RedirectPermanent / https://my.domain/
</VirtualHost>

<VirtualHost MY.SERVER.IP:443>
     ServerName my.domain
     DocumentRoot /var/www/html
            <Directory /var/www/html>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
            </Directory>
     SSLEngine On
...
</VirtualHost>