Panel appears as blank

Hello, so I’m getting an ‘panel blank’ when I’m trying to access it with this error in console:

       DOMException: Failed to execute 'pushState' on 'History': A history state object with URL '' cannot be created in a document with origin '' and URL ''.
    at Object.onPushState (
    at pt.setState (
    at pt.init (
    at a.created (
    at Vt (
    at nn (
    at a.Cn._init (
    at new a (
    at init (
error @ index.js:1
       Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure resource ''. This request has been blocked; the content must be served over HTTPS.
request @ index.js:1
get @ index.js:1
user @ index.js:1
       TypeError: Failed to fetch
    at Object.request (index.js:1:3022)
    at Object.get (index.js:1:3630)
    at user (index.js:1:5391)


  • I’m using a public folder structure
  • set url to ‘
  • php 8.0 with kirby 3.6.5
  • kirby is installed with composer in vendor
  • already deleted media without any effect
  • user and group are www-data
  • permissions are 755 for folders and 644 for files

Here’s my .htaccess as well:

# Kirby .htaccess

# Core rewrite rules
<IfModule mod_rewrite.c>

    RewriteEngine on

    # Make sure to set the RewriteBase correctly if you are running
    # the site in a subfolder otherwise links or the entire site will break.
    # RewriteBase /

    # Block files and folders beginning with a dot, such as `.git`, except for
    # the `.well-known` folder, which is used for Let's Encrypt and `security.txt`.
    RewriteRule (^|/)\.(?!well-known\/) index.php [L]

    # Make site links work.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*) index.php [L]


# Pass the Authorization header to PHP.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# Allow cross-origin access to web fonts.
<IfModule mod_headers.c>
    <FilesMatch "\.(otf|woff2?)$">
        Header set Access-Control-Allow-Origin "*"

# Compression for better web performance
<IfModule mod_deflate.c>

    # Force compression for mangled `Accept-Encoding` request headers.
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding

    # Compress all output labeled with one of the following media types.
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/geo+json" \
                                      "application/wasm" \
                                      "application/x-font-ttf" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "text/cache-manifest" \
                                      "text/calendar" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/markdown" \
                                      "text/vcard" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \



A similar error message was encountered here: Kirby in Dokku broken with recent update - #2 by wout

Don’t know if that applies to your setup

Tried to apply his solution but still with no success. I run the same setup on a test server where there’s no ssl and there is working. So the problem is related to ssl but really don’t know what I can do

Have you tried to set the URL in your config.php?

1 Like

I was going to say the same. I had to explicitly force Kirby over https by adding the url option:

return [
  // ...
  'url' => ''

If you used my hack, did you have the ENV var configured as well?

Forgot to mention that I already have url set up but still does not solve it.

@wout I don’t have env configuration files, maybe can you explain your solution a bit in a way that I can integrate without env

Of course. Basically what it does is set $_SERVER['HTTPS'] to true for the production environment where everything always runs over https. If the value of APP_ENV is anything else than 'production', or simply not configured, $_SERVER['HTTPS'] is set to false.

I went with the ENV var setup because then I don’t need to do anything in development, and setting env vars in production requires minimum effort.

any idea how I could do that directly in config just to test if it will solve? tried some stuff now my log looks like this

       GET 403
request @ index.js:1
get @ index.js:1
user @ index.js:1
       {status: 'error', message: 'Unauthenticated', code: 403, exception: 'Kirby\\Exception\\PermissionException', key: 'error.permission', …}
onError @ index.js:1
request @ index.js:1
await in request (async)
get @ index.js:1
user @ index.js:1
       DOMException: Failed to execute 'pushState' on 'History': A history state object with URL '' cannot be created in a document with origin '' and URL ''.
    at Object.onPushState (
    at pt.setState (
    at pt.go (

I think Config::get() in your main index.php is an option. Something like:


include '../vendor/autoload.php';

$kirby = new Kirby;

$_SERVER['HTTPS'] = Config::get('app.env') == 'production';

echo $kirby->render();

Then add the configuration on your server in the config file:


return [
  // ...
  'app' => [
    'env' => 'production'

Let me know if that works.

Ok, added your example but can’t say if it actually does anything. Panel still acts the same but thank you for trying

@texnixe have any idea if this could be related to this? Fixed Fiber requests to non-origin urls

I think it’s rather this issue: Url overwrite config doesn't overwrite protocol · Issue #4234 · getkirby/kirby · GitHub

Ok, first thanks to @wout and @texnixe for pointing me in the right direction :slight_smile:
Here’s the workaround solution I did to fix my issue:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = true;

What it does is identify the protocol used and if https is used it will force HTTPS over Kirby.

1 Like

You’re welcome. :slight_smile: Great you found a solution!