Pannel semi working after going live - lvl noob+

Hi,
I know this thread has been already dealt with, but it seems I can’t deal with a solution.

When i’m in local host my panel works fine, but going live it act crazy.
Part of the options are out, i can do changes on each pages but can’t seems to create one or duplicate on. Same for the structure, i can only do these changes manually changing the names of the folders.
the website https://silviomilone.com

Settling this would be a huge help for me to update the website at peace ^^.

thanks in advance. love to all

ps: tried to delete account user, reinstall by dist, changed all the permission, edited config.php

Edit:
List of actions made.
-Followed and applied https://getkirby.com/docs/guide/troubleshooting/panel - without success
-Put Header set Cache-Control “no-cache, private” to the very top of .htaccess file. - without success

Have you already checked out the Panel troubleshooting guide? Might be a caching issue:

Hi thanks for your answer <3

php_value opcache.revalidate_freq 0

this created a error 500, even after deleting cache.

Header set Cache-Control "no-cache, private"

this did not created an error but did not fixed my issue.

No more tips in the link that I could use :s

For information, I’m using zerone theme.

I figured this might be a ovh setting issue, i did reset my dns zone, behond that i’m clueless.

here is a copy of my .htaccess

# Kirby .htaccess

# rewrite rules
<IfModule mod_rewrite.c>

# enable awesome urls. i.e.:
# https://silviomilone.com/
RewriteEngine on

# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder.
# Otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite
# Set the RewriteBase to:
#
RewriteBase /

# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /

# https redirect
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# force www without ssl
# RewriteCond %{HTTPS} off
# RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
# RewriteCond %{HTTP_HOST} (.+)$ [NC]
# RewriteRule ^(.*)$ http://www.%1/$1 [R=301,L]

# force www with ssl
RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
RewriteCond %{HTTP_HOST} (.+)$ [NC]
RewriteRule ^(.*)$ https://www.%1/$1 [R=301,L]

# force non-www without ssl
# RewriteCond %{HTTPS} off
# RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
# RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

# force non-www with ssl
# RewriteCond %{HTTPS} on
# RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
# RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

# redirect www all except subdomains
# RewriteCond %{HTTP_HOST} !^(.*)\.(.*)\. [NC]
# RewriteCond %{HTTPS}s ^on(s)|
# RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]

# block text files in the content folder from being accessed directly
RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

# block all files in the site folder from being accessed directly
# except for requests to plugin assets files
RewriteRule ^site/(.*) index.php [L]

# Enable authentication header
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# block direct access to kirby and the panel sources
RewriteRule ^kirby/(.*) index.php [L]

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

</IfModule>

# Additional recommended values
# Remove comments for those you want to use.
#
# AddDefaultCharset UTF-8
#
# php_flag short_open_tag on

# ==== GZIP =====
<ifmodule mod_deflate.c>
	# compress text, html, javascript, css, xml:
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE application/xml
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/json
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/x-javascript
	AddOutputFilterByType DEFLATE application/x-font-woff
	AddOutputFilterByType DEFLATE application/x-font-woff2

	# Or, compress certain file types by extension:
	<files *.html>
		SetOutputFilter DEFLATE
	</files>
</ifmodule>
# ==== GZIP END =====

<ifmodule mod_deflate.c>
	<ifmodule mod_setenvif.c>
		<ifmodule mod_headers.c=>
		SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
		RequestHeader append Accept-Encoding &quot;gzip,deflate&quot; env=HAVE_Accept-Encoding
		</ifmodule>
	</ifmodule>
</ifmodule>

<IfModule mod_headers.c>
	<FilesMatch "\.(ico|pdf|flv|mp4|ogg|webm|jpg|jpeg|png|gif|js|css|swf|eot|font.css|otf|ttc|ttf|woff|woff2|svg|zip)$">
		Header set Cache-Control "max-age=604800, public"
	</FilesMatch>

	<FilesMatch "\.(html|htm|xml|txt)$">
		Header set Cache-Control "max-age=86400, public, must-revalidate"
	</FilesMatch>
</IfModule>

# ######################################################################
# # MEDIA TYPES AND CHARACTER ENCODINGS                                #
# ######################################################################

# ----------------------------------------------------------------------
# | Media types                                                        |
# ----------------------------------------------------------------------

# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype

<IfModule mod_mime.c>

  # Data interchange

    AddType application/atom+xml                        atom
    AddType application/json                            json map topojson
    AddType application/ld+json                         jsonld
    AddType application/rss+xml                         rss
    AddType application/vnd.geo+json                    geojson
    AddType application/xml                             rdf xml


  # JavaScript

    # Normalize to standard type.
    # https://tools.ietf.org/html/rfc4329#section-7.2

    AddType application/javascript                      js


  # Manifest files

    # If you are providing a web application manifest file (see
    # the specification: https://w3c.github.io/manifest/), it is
    # recommended that you serve it with the `application/manifest+json`
    # media type.
    #
    # Because the web application manifest file doesn't have its
    # own unique file extension, you can set its media type either
    # by matching:
    #
    # 1) the exact location of the file (this can be done using a
    #    directive such as `<Location>`, but it will NOT work in
    #    the `.htaccess` file, so you will have to do it in the main
    #    server configuration file or inside of a `<VirtualHost>`
    #    container)
    #
    #    e.g.:
    #
    #       <Location "/.well-known/manifest.json">
    #           AddType application/manifest+json               json
    #       </Location>
    #
    # 2) the filename (this can be problematic as you will need to
    #    ensure that you don't have any other file with the same name
    #    as the one you gave to your web application manifest file)
    #
    #    e.g.:
    #
    #       <Files "manifest.json">
    #           AddType application/manifest+json               json
    #       </Files>

    AddType application/x-web-app-manifest+json         webapp
    AddType text/cache-manifest                         appcache


  # Media files

    AddType audio/mp4                                   f4a f4b m4a
    AddType audio/ogg                                   oga ogg opus
    AddType image/bmp                                   bmp
    AddType image/svg+xml                               svg svgz
    AddType image/webp                                  webp
    AddType video/mp4                                   f4v f4p m4v mp4
    AddType video/ogg                                   ogv
    AddType video/webm                                  webm
    AddType video/x-flv                                 flv

    # Serving `.ico` image files with a different media type
    # prevents Internet Explorer from displaying then as images:
    # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee

    AddType image/x-icon                                cur ico


  # Web fonts

    AddType application/font-woff                       woff
    AddType application/font-woff2                      woff2
    AddType application/vnd.ms-fontobject               eot

    # Browsers usually ignore the font media types and simply sniff
    # the bytes to figure out the font type.
    # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
    #
    # However, Blink and WebKit based browsers will show a warning
    # in the console if the following font types are served with any
    # other media types.

    AddType application/x-font-ttf                      ttc ttf
    AddType font/opentype                               otf


  # Other

    AddType application/octet-stream                    safariextz
    AddType application/x-bb-appworld                   bbaw
    AddType application/x-chrome-extension              crx
    AddType application/x-opera-extension               oex
    AddType application/x-xpinstall                     xpi
    AddType text/vcard                                  vcard vcf
    AddType text/vnd.rim.location.xloc                  xloc
    AddType text/vtt                                    vtt
    AddType text/x-component                            htc

</IfModule>


# ----------------------------------------------------------------------
# | Reducing MIME type security risks                                  |
# ----------------------------------------------------------------------

# Prevent some browsers from MIME-sniffing the response.
#
# This reduces exposure to drive-by download attacks and cross-origin
# data leaks, and should be left uncommented, especially if the server
# is serving user-uploaded content or content that could potentially be
# treated as executable by the browser.
#
# http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
# https://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
# https://mimesniff.spec.whatwg.org/

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
</IfModule>

# ----------------------------------------------------------------------
# | ETags                                                              |
# ----------------------------------------------------------------------

# Remove `ETags` as resources are sent with far-future expires headers.
#
# https://developer.yahoo.com/performance/rules.html#etags
# https://tools.ietf.org/html/rfc7232#section-2.3

# `FileETag None` doesn't work in all cases.
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>

FileETag None

# ----------------------------------------------------------------------
# | Expires headers                                                    |
# ----------------------------------------------------------------------

# Serve resources with far-future expires headers.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://httpd.apache.org/docs/current/mod/mod_expires.html

<IfModule mod_expires.c>

    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"

  # CSS
    ExpiresByType text/css                              "access plus 1 year"

  # Data interchange
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!) and cursor images
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML
    ExpiresByType text/html                             "access plus 0 seconds"

  # JavaScript
    ExpiresByType application/javascript                "access plus 1 year"
    ExpiresByType application/x-javascript              "access plus 1 year"
    ExpiresByType text/javascript                       "access plus 1 year"

  # Manifest files
    ExpiresByType application/manifest+json             "access plus 1 year"

    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"

  # Media files
    ExpiresByType audio/ogg                             "access plus 1 month"
    ExpiresByType image/bmp                             "access plus 1 month"
    ExpiresByType image/gif                             "access plus 1 month"
    ExpiresByType image/jpeg                            "access plus 1 month"
    ExpiresByType image/png                             "access plus 1 month"
    ExpiresByType image/svg+xml                         "access plus 1 month"
    ExpiresByType image/webp                            "access plus 1 month"
    ExpiresByType video/mp4                             "access plus 1 month"
    ExpiresByType video/ogg                             "access plus 1 month"
    ExpiresByType video/webm                            "access plus 1 month"

  # Web fonts

    # Embedded OpenType (EOT)
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
    ExpiresByType font/eot                              "access plus 1 month"

    # OpenType
    ExpiresByType font/opentype                         "access plus 1 month"

    # TrueType
    ExpiresByType application/x-font-ttf                "access plus 1 month"

    # Web Open Font Format (WOFF) 1.0
    ExpiresByType application/font-woff                 "access plus 1 month"
    ExpiresByType application/x-font-woff               "access plus 1 month"
    ExpiresByType font/woff                             "access plus 1 month"

    # Web Open Font Format (WOFF) 2.0
    ExpiresByType application/font-woff2                "access plus 1 month"

  # Other
    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"


Header set Cache-Control "no-cache, private"


</IfModule>

That should go at the top of your .htaccess.

Also make sure that your server meets all requirements as outlined in the documentation.

Which Kirby version are you using?

Header set Cache-Control “no-cache, private”

^ that have been put to the top.

• using version of getkirby
  3.6.4

Tried running php 7.4, 8.0 and currently 8.1

Currently hosted by OVH.

Thank you very much for your time

Maybe @mrfreedom have heard of this issue with other user of their templates?
An occasion to thank you for your work.
Any help would be greatly appreciated.
Love from france. <3 <3 <3

Hi, @silvio!

Sorry, haven’t heard of something similar.

1. Have you checked in the browser console are there some errors? They can give you hints.
2. Ask the hosting provider do they maybe have some special caching? This is very popular among big hosting providers, and many of them are keeping this a secret. If they do, ask them to turn it off for you.
3. Try the website on another hosting
4. Did you add some additional plugins to the install?

Those are the best things that come to my mind at the moment.

And yeah, I love your website!

Hi,
thank you so much for your time and work.

1. In my console i’ve got three errors but i don’t know if they are related.
   Plugin is replacing “k-block-type-gallery” index.js:1:32193

Plugin is replacing “k-block-type-table” index.js:1:32193

Plugin is replacing “k-block-type-video” index.js:1:32193

2. will do and let you know, i’ve got a dedicated server on ovh, pretty mainstream, it would be strange that no one from the community got this kind of errors.

3. I will try out that too, everything works fine on local host.

4. No plugin was installed, few code added in “styling” sections, should be in the right place.

Bonus error while changing status of a page:

$dialog	
component	"k-form-dialog"
props	
fields	
status	
label	"Select a new status"
type	"radio"
required	true
options	
0	
value	"draft"
text	"Draft"
info	"The project is still in draft mode. It can only be seen by editors with panel access."
1	
value	"unlisted"
text	"In Review"
info	"The project is online and can be visited with the direct URL. The team must still give the final go to publish it."
2	
value	"listed"
text	"Published"
info	"The project is online and listed on the website."
position	
label	"Please select a position"
type	"select"
empty	false
options	
0	
value	1
text	1
1	
value	"projects/workers"
text	"Workers"
disabled	true
2	
value	2
text	2
3	
value	"projects/sise-ici-5-11-18"
text	"Sise ici 5-11-18"
disabled	true
4	
value	3
text	3
5	
value	"projects/report-ride"
text	"Report - ride"
disabled	true
6	
value	4
text	4
7	
value	"projects/orders"
text	"Orders"
disabled	true
8	
value	5
text	5
9	
value	"projects/dj-set"
text	"Dj set"
disabled	true
10	
value	6
text	6
11	
value	"projects/planet-joburg"
text	"Planet Joburg"
disabled	true
12	
value	7
text	7
13	
value	"projects/serie-drama"
text	"Drama"
disabled	true
14	
value	8
text	8
15	
value	"projects/landscape"
text	"Landscape"
disabled	true
16	
value	9
text	9
17	
value	"projects/mashup"
text	"Mashup"
disabled	true
18	
value	10
text	10
19	
value	"projects/portrait"
text	"Portrait"
disabled	true
20	
value	11
text	11
21	
value	"projects/street-photography"
text	"Street Photography"
disabled	true
22	
value	12
text	12
23	
value	"projects/altered-cliche"
text	"Altered cliché"
disabled	true
24	
value	13
text	13
25	
value	"projects/report-art"
text	"Report - Art"
disabled	true
26	
value	14
text	14
27	
value	"projects/mandala-qr-code"
text	"Mandala qr code"
disabled	true
28	
value	15
text	15
29	
value	"projects/dogs"
text	"Dogs"
disabled	true
30	
value	16
text	16
31	
value	"projects/cigarette"
text	"Cigarette"
disabled	true
32	
value	17
text	17
33	
value	"projects/metro"
text	"Metro"
disabled	true
34	
value	18
text	18
when	
status	"listed"
submitButton	"Change"
value	
status	"listed"
position	6
code	200
path	"dialogs/pages/projects+mixtape/changeStatus"
referrer	"/"

Thank you so much for your support and feedback on my website.
Anyone asking me wich tools I did used to do it, i redirect to your template and getkirby right away. <3
Much love

I’ve found an interesting lead, an error is flooding in the log of the server.

[Thu Jun 30 22:09:08 2022] [error] [client 2a03:2880:31ff:1b::face:b00c] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Range: field exists and begins with 0."] [hostname "silviomilone.com"] [uri "/"] [unique_id "Yr4C5OR7m3Uzk@Jub5EpGAAAAAw"]

Hi, @Silvio, these are just notices, not errors, don’t worry about them

This means that your Web Application Firewall is finding something that is happening in that website as a security issue. Which is very strange.

What is the server management software you have installed on that server? Plesk, cPanel, something else? Configured by yourself? Check out the settings in the Web Application Firewall, is everything setup correctly there.

Also, make sure you use plugins from Zero One files. Especially, make sure to use the Sitemmaper plugin from Zero One files, because the version from Github breaks the panel Cannot change language · Issue #5 · kirbyzone/sitemapper · GitHub. The version in Zero One has this fixed.

And, what is your Kirby CMS version on that install?

Hey, thanks for your reactivity and help, it is really appreciated <3
This is where my noobness start.
I don’t have a server management software installed.
I use file zilla to exchange files to the server.
I used ovh manager tool to do install php 8.1, SSL “let’s encrypt”, dns zone - used auto -.
No databased installed.
I did edited the .ovhconfig file at the root of the server ( the only file except the directories of two website I host).
Here is what’s inside

http.firewall=security
container.image=stable64
app.engine.version=8.1
app.engine=php
environment=production

Do you thing i should use a software manager? Do you have any cookbook i could use to get into it and configure it properly?

That might be something, as the panel didn,'t showed off all the options, i couldn’t find how to use the plugin sitemapper… So I did install manually a sitemap that i created here https://www.xml-sitemaps.com/
I’m gonna update this plugin right away from the last version of zero one, thanks for pointing that out <3 <3 <3 I go for it right away

Using 3.6.4 version of getkirby, I can notice that debugging is on, should I turn it off?

Bless, have a great day

You don’t need to do much to configure Sitemapper, every page, and every file has the option in the panel to either include or drop out from the sitemap SEO options - Zero One Documentation. And it works great with multilanguage websites too.

I use Plesk, and I am super happy with it. From my point of view, it has much better options than the cPanel.

followed this Changelog - Zero One Documentation to proceed exchange of sitemapper

No success.

Looking at the console when the k-dialog error comes off i’ve found that in the console

Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://www.silviomilone.com/favicon.ico (« default-src »). 2 resource:191:19

About sitemapper, i can’t find the file created by sitemapper and google tells me i’ve got my file robot.txt that block them to fetch my url.

I guess that’s also why i had to create a sitemap.xml by hand, so google index my website.

This is mindblowing for me as a fix create another bug.

But i keep a positive mind as it would be great to get the automation feature of the sitemap and make it work with google console ( as i have to regerenate by hand the xml after any commit -.- ).

Panel still not fuctionning, i just did replace my config files with the originals one from the theme.

Hi, Silvio, then obviously Sitemapper plugin is not the cause for the issue you have.

Concerning robots.txt, your https://www.silviomilone.com/robots.txt are really blocking Google from indexing, and the reason is that you have debugging turned on. Just turn debugging off, you don’t need it on the live website, it is a security issue. The robots plugin disallows Google from indexing when debugging is on disallow all on debug · Issue #4 · bnomei/kirby3-robots-txt · GitHub.

Your sitemap generated from SItemapper is working great https://www.silviomilone.com/sitemap.xml.
EDIT: Actually now don’t, because you did something in the meantime. Reinstall all files in site/plugins folder from Zero One files.

The panel is not working because your server is considering something as a security issue. From this

I would say it considers .ico file as a security issue. Replace that .ico file with .png file.

To summarize once again: everything is great with your website, just:

• Remove that custom-made sitemap
• Turn off debugging debug | Kirby CMS
• Replace favicon.ico with some .png file
• And just be patient and don’t panic You are doing a great job although you don’t consider yourself technical

Concerning Zero One specific things write to me through private messaging or Support - Zero One Documentation so we don’t spam the forum.

<3 thanks brother.
the sitemap issue deal with sitemapper is resolved following your instructions. I can confirm that it has no link with the panel misbehaviour.

I tried to get into plesk but it’s a “pro admin” interface and have a license pricing for 10 website.
Do you have any free open source alternative that i could use to install at least the minimum requirements for getkirby et zero one?

The favicon.ico issue is kind of strange as I don’t have any favicon.ico file on the server.
I did tried to reupload any favicon in the right format.

Also, make sure you use plugins from Zero One files. Especially, make sure to use the Sitemmaper plugin from Zero One files, because the version from Github breaks the panel Cannot change language · Issue #5 · kirbyzone/sitemapper · GitHub. The version in Zero One has this fixed.

YATA this message lead me to my misstake (wich i don’t clearly identify)
I found the bug thought thanks to this thread and your response.

Creating the website i kind of start a french version of it, not really understanding how it worked.
At a certain point i did delete it, maybe partially.
I might have messed up something here because as soon I uploaded a file named fr.php in /site/languages/ The error when changing a page was gone.

Thank you very much for your time effort and patience as for @texnixe .
Much love to you all. I feel blessed by such support and community.

ps: i did also instal apache, nginx, put a php.ini at the root of the server and modified php setting in ovh from production to dev as it is made for no caching and auto rewrite.

If I understood you well, this means the issue is gone. Great!