NGINX / Apache2 Hybrid Server - RewriteRule ^content/(.*) index.php [L] Not working

I am just launching a Kirby site on our Runcloud hosting - The hosting is setup on a NGINX/Apache2 Hybrid stack (Allows .htaccess to be used).

My Kirby panel warns me my content folder is exposed even though I have all the default Kirby .htaccess settings including RewriteRule ^content/(.*) index.php [L]

Any ideas why this would not be working?

Its because everythings in the web root, ie the public or www or whatever your host has called it. If your host allows you to you, you can place those folders outside of the public area which increases security.

See here:

I thought the above code should still work though?

Still looking for a solution to this one. Anyone?

How does this look like and where does it come from? I have Apache with a standard Kirby setup and never see such warning. Knowing the source where this warning is triggered might help finding the reason.

Kirby checks the following urls to determine if any of the folders is exposed.

  • yourdomain/content/site.txt
  • yourdomain/kirby/composer.json
  • yourdomain/.git/config
  • yourdomain/site/blueprints/site.yml

Please check what responses you get for them. Maybe you have a redirect in place somewhere that causes this, returning a 302 instead of a 404.

I can see the site.txt file when I check.

I have the default Kirby .htaccess file and have not changed any settings.

I am not sure why the is is viewable still, and giving me the warning in the panel settings.

Maybe you need to dive deeper into the settings of your provider. Citing their docs:

By using this stack, your static files (eg: css,js,images,fonts) will be served by NGINX. If it is PHP, NGINX will pass it to Apache2 and the request will be passed to PHP-FPM.

For me, this means that requests for static files will not be served by Apache and thus no evaluation of its .htaccess rules. The rules therein will only be taken into account if .php files are requested. However, the sense of Kirby’s .htaccess file is to redirect all requests pertaining to any file in the site, kirby or content folder to the main index.php which serves as a dispatcher.

Thanks for the reply. I have just had the same response from Runcloud support.

“it’s because you are on a Hybrid stack in which the static files like TXT, HTML etc are handled by the Nginx and not by the Apache.”

I have added a NGINX Config file as follows which seems to have done the trick, but doesnt target the ‘Content’ folder specifically.:

location ~ \.txt$ {
        # Deny access to all .txt files
        deny all;
        return 404;

Is this okay - Does anyone know enough about NGINX for how to be more specific?

I think i’m having the same issue on one of our servers. The htaccess Rewrite seem to be ignored. Everything works fine on a development server but not on the production system. The difference i found is some setting in PLESK which seems to be for performance reasons only. When i switch it on in the DEV-server i get the same warning in the panel (content folder not safe).

i’m talking about the third checkbox (static files handled by nginx)

I don’t have access to the nginx config myself, but asked the hosting colleagues to see this guide and try out some things.

We need to run kirby in a subfolder /kirby/ for the time being (this will later be the docroot), so i guess there need to be made some adjustments to the nginx config example but i am not familiar with the nginx syntax. Does someone have any hints? Atm all tests result in a “not found” error when trying to access /kirby/

My next idea is to try and switch off the checkbox on the production server and see what difference it makes to the performance, if any. Have to find a good way to test that. Any hints appreciated.

@mactedder did you find a way to solve it?

Thank you!