Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Craft redirects to load balancer on /admin panel. CSFR issue? #4495

Kotauror opened this issue Jul 7, 2019 · 3 comments


None yet
4 participants
Copy link

commented Jul 7, 2019


Recently I've added CloudFront for my Craft app and now I'm experiencing an unwanted redirect.

DNS points to my CF, CF has Elastic Load Balancer as an origin. The ELB is for EC2 instances on which runs my Craft application. ELB has a CNAME on my main domain, for certificate reasons. So the origins on CF is not, but

When I open most of my pages on the website, they work fine and are cached via CloudFront.
When I open either the /admin panel or any subpage that has a form (what makes me think it's a CSFR issue), I get redirected to the ELB domain.

I was able to prevent the redirection on the admin panel by setting the baseCpUrl to be of my domain, not ELB, but after this change I can't log in anymore (I used to be able to do it after the domain "switched" to ELB). I can't find a way to prevent the "switch" on the entries that have forms.

Do you have an idea what I can do to stay on the same domain and not get redirected to ELB?

Additional info

PHO version 7.1.27
Craft version Craft Pro 3.1.30
Yii version 2.0.19
Twig version 2.11.2

My general.php

 * General Configuration
 * All of your system's general configuration settings go in here. You can see a
 * list of the available settings in vendor/craftcms/cms/src/config/GeneralConfig.php.
 * @see \craft\config\GeneralConfig

return [
    // Global settings
    '*' => [
        // Default Week Start Day (0 = Sunday, 1 = Monday...)
        'defaultWeekStartDay' => 1,

        // Whether generated URLs should omit "index.php"
        'omitScriptNameInUrls' => true,

        // Control Panel trigger word
        'cpTrigger' => 'admin',

        // The secure key Craft will use for hashing and encrypting data
        'securityKey' => getenv('SECURITY_KEY'),

        // Whether to save the project config out to config/project.yaml
        // (see
        'useProjectConfigFile' => false,

        'baseCpUrl' => getenv('BASE_CP_URL'),

        // Configuration from previous installation of Craft 2.7.8
        'overridePhpSessionLocation' => true,
        'requireMatchingUserAgentForSession' => false,
        'extraAllowedFileExtensions' => 'woff, woff2',
        'omitScriptNameInUrls' => true,
        'devMode' => false,
        'useCompressedJs' => true,
        'cacheDuration' => false,
        'cacheMethod' => 'file',
        'enableCsrfProtection' => true,
        'backupDbOnUpdate' => false,
        'staticRedirectDisplayLimit'  => 1000,
        'maxUploadFileSize' => 1000000000 // 1GB	

    // Dev environment settings
    'dev' => [
        // Dev Mode (see
        'devMode' => true,

    // Staging environment settings
    'staging' => [
        // Set this to `false` to prevent administrative changes from being made on staging
        'allowAdminChanges' => true,

    // Production environment settings
    'production' => [
        // Set this to `false` to prevent administrative changes from being made on production
        'allowAdminChanges' => true,

This comment has been minimized.

Copy link

commented Jul 8, 2019

SOP for this type of setup is to exclude all Control Panel requests from CF (or any other CDN). Any reason why you want it included?


This comment has been minimized.

Copy link

commented Jul 9, 2019

Are you whitelisting the headers/cookies etc that Craft sets within CloudFront? If it's caching those things then you're likely to get caught out like this.


This comment has been minimized.

Copy link

commented Jul 15, 2019

Hello all!

Thank you @mattandrews , this is what I needed to do. I was whitelisting only Host, but needed to whitelist Origin and Referer as well.


@angrybrad angrybrad closed this Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.