Why my Kirby site doesn't use HTTPS


I’ve got an issue with my first Kirby installation (see configuration below).

First of all, some links use HTTP while others HTTPS.
In example, if kirby()->urls()->assets() is used in href tag, it returns the path using the HTTPS protocol, but if used in other tag, it returns HTTP. I guess the redirection directive only works with links.
All routes to pages seem to work fine, but while logging in to the panel, on submitting the form, the browser throws the error:

Refused to send form data to 'http://mysub.domain.com/' because it violates the following Content Security Policy directive: "form-action 'self'".

As we see, the URL doesn’t use the HTTPS protocol, and user sticks to the login page (with the spinning wheel). Strangely, if you refresh the page, you access the dashboard anyway.

In the same way, when you call the https://mysub.domain.com/blog/sitemap.xml page (provided by the pedroborges/kirby-xml-sitemap plugin), the browser throws the error below.

Unsafe attempt to load URL http://mysub.domain.com/blog/sitemap.xsl from frame with URL https://preprod.chateaudevaugrigneuse.com/blog/sitemap.xml. Domains, protocols and ports must match.

Again, we see the plugin needs to load the sitemap.xsl stylesheet from an unsecured URL.

Would someone have ideas to fix this odd issue?

Installation configuration:

  • Apache behind Nginx proxy Server
  • DNS managed by Cloudflare
  • Using Cloudflare flexible SSL (HTTPS redirection enabled)
  • Kirby v.2.5.12 installed in /blog subfolder
  • Default Kirby htaccess directives
  • Plugins: jenstornell/kirby-seo, CalebGrove/content-viewer, pedroborges/kirby-xml-sitemap

Have you tried to set ssl to true in your config.php?



Thanks for your suggestion.

Set SSL to “true” cause a conflict with Cloudflare Flexible SSL and its “Automatic HTTPS Rewrites,” the browser throws the error “The page isn’t redirecting properly” ERR_TOO_MANY_REDIRECTS.
That makes sense while Cloudflare already rewrites URLs to force HTTPS so Kirby loops.

I suspect Cloudflare Flexible SSL doesn’t work as it should with Kirby.
I’ll try to install a Full SSL certificate to see if Kirby get the correct protocol.

If you use the Cloudflare Flexible SSL, Cloudflare secures only the connection between their server and the user, so your origin server always serves your pages with the unsecured HTTP protocol.
As Kirby build URL from the origin server, URLs are using HTTP only.
You have to create Cloudflare Origin Certificates then install them on your server. After your server is configured to answer HTTPS connections, you can turn on Cloudflare Full SSL.

Hi there, adding on to this. I too am having the issue. I followed instructions from here:

BUT I don’t understand what to do when it comes to “2. Install Origin CA certificate on origin server”. I am using Cyberduck FTP, and there’s no mention of how to do this via ftp, any ideas, or alternative methods for resolving this issue with the panel? thanks!

You cannot do this via FTP (and shouldn’t use an insecure FTP connection anyway, see https://getkirby.com/docs/guide/security#secure-your-server__use-secure-connections-to-your-server)

But if you have a cPanel feature or something similar, there should be on option to add certificates.

Hey thanks, okay, that’s good to know. I will find another way or just buy an SSL. One last solution I am considering: In the file Kirby Panel, which seems a dynamically generated js file for the panel (?) it has a line below that is preventing the panel from loading because of insecure mixed content. Is there a way of making this an https link, I believe that would solve the problem.


Error message:

Mixed Content: The page at 'https://sashaportis.com/panel/login' was loaded over HTTPS, but requested an insecure script 'http://sashaportis.com/media/panel/ebf9f9abdb59acd3b55d4a900c10833b/js/index.js'. This request has been blocked; the content must be served over HTTPS.
(anonymous) @ login:764

Have you tried to set the url option to your domain in your config?

You don’t need to buy a SSL certificate. Thanks to Let’s Encrypt, SSL certificates are available at no cost. And even if you do, you still need to configure your site at your server (“origin server” in Cloudflares wording) to make use of SSL without exceptions. You can set the “Full” or “Full (strict)” mode on Cloudflare without their Origin certificates or Origin CA. However, from their point of view (not from mine), it is easier to use their Origin certificates or Origin CA. Either way, you need to configure a working SSL website at your end.