Kirby without htaccess (again), panel with ssl and www.*

when adding ssl to some of my client website i had issues with the panel which refused to work in all but non www setups. which mean you see login page but could not login.

i did setup my ssl and enforced www setup via htaccess which seem to get in conflict with panel redirects.
so did work but would not allow logins.

RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

my question first is did anybody create a working routing setup to remove the need for htaccess? like suggested here?

my second question is if kirby 3 will need a htaccess file or if it could be avoided by design?

it could be the ssl certificate, the forcing www redirect and panel routing in htaccess or a combination of these, but if it is i would love to know how to set this up properly with kirby.

In Kirby 2 the .htaccess (or a corresponding server configuration files) is needed for Panel rewrites. While you can do with ugly URLs if you don’t need the Panel, for the Panel it is definitely needed.

The same is true for Kirby 3.

Is this on shared hosting or do you have access to the server configuration?

Depending on what you got, you can do the redirect from www to non-www or vice versa directly in the domain DNS configuration.

thanks for your reply @texnixe. i will try to explain my problem further maybe i am just missing a critical info.

alpha ssl certificate
most of my clients domains are either or hosted. basic webhosting like 5-10 euros per month. so regarding your question i can use htaccess and limited server configuration. i am not sure how i would configure DNS to redirect to www. can you share an example?

also most clients only purchase an alpha ssl certificate for the www-subdomain since its cheaper than the wildcard certificate required for non-www-subdomain. so i usually add a force https and www redirect to htaccess – like the one above or slight variants depending on the capabilities of the server.

panel an htaccess
but when i access the panel at the www-subdomain ( like ) my redirects do not apply to all resources. my knowledge about redirects is limited but it seems the panel does not know it has been redirected by the htaccess file since it still requests non-www resources. which triggers a CORS header security issue. but since most clients do not have wildcard ssl certificates this is a problem for the panel.
maybe this could be solved using an better htaccess redirect call or like you suggested DNS configuration but i do not know how (yet).

i will PM you an example since i can not share that clients domain name in public.

1 Like