Skip to content
This repository has been archived by the owner on May 9, 2023. It is now read-only.

Control Panel to work with https #1140

Closed
jcohlmeyer opened this issue Dec 2, 2016 · 5 comments
Closed

Control Panel to work with https #1140

jcohlmeyer opened this issue Dec 2, 2016 · 5 comments
Labels
pending release

Comments

@jcohlmeyer
Copy link

Expected behaviour

Control Panel to work with https

Actual behaviour

Randomly Statamic produces http links and creates a http redirect loop when using the Control Panel

Steps to reproduce

  1. Deploy a Statamic Site with https
  2. Control panel to function over https

Server configuration

Operating system:
CentOS

Web server:
Apache

PHP version:
5

Statamic version:
2.1.18

Updated from an older Statamic or fresh install:
2.x -> 2.1.18

List of installed addons:

  • Colorpicker

htaccess

If any logs (browser, server, or Statamic) are appropriate...

# ------------------------------------------------------------------------------
# COMMON PHP OVERRIDES
#
# Sometimes editing your php.ini file is impossible or even just annoying.
# Here are some of the most common settings that can (sometimes) be overridden.
# ------------------------------------------------------------------------------

# php_value memory_limit 256M
# php_value post_max_size 16M
# php_value max_execution_time 90
# php_value max_input_time 120
# php_value upload_max_filesize 16M

# ------------------------------------------------------------------------------
# BASE APACHE RULES
#
# When running in a subdirectory, you should uncomment and adjust the
# RewriteBase rule to point to your directory, eg. RewriteBase /directory/
# ------------------------------------------------------------------------------

Options -MultiViews
RewriteEngine On
RewriteBase /

# ------------------------------------------------------------------------------
# Force HTTPS
# ------------------------------------------------------------------------------

# Remove www from address
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} ^new\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect Trailing Slashes...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# ------------------------------------------------------------------------------
# REMOVE TRAILING SLASHES
# ------------------------------------------------------------------------------

#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^(.*)/$ /$1 [L,R=301]


# ------------------------------------------------------------------------------
# STATIC CACHING PROXY
#
# Enable these rules when using static html caching
# to bypass Statamic when a given URL has a cached copy.
# ------------------------------------------------------------------------------

# RewriteCond %{REQUEST_FILENAME}   !-f
# RewriteCond %{REQUEST_METHOD} GET
# RewriteRule ^(.*) static/$1/index.html

# ------------------------------------------------------------------------------
# Mod Expire Headers
# ------------------------------------------------------------------------------

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 minute"
ExpiresByType image/x-icon "access plus 15 minutes"
ExpiresByType image/gif "access plus 15 minutes"
ExpiresByType image/png "access plus 15 minutes"
ExpiresByType image/jpeg "access plus 15 minutes"
ExpiresByType text/css "access plus 15 minutes"
ExpiresByType application/javascript "access plus 15 minutes"
</IfModule>

# ------------------------------------------------------------------------------
# Use https only for cookies
# ------------------------------------------------------------------------------

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# ------------------------------------------------------------------------------
# X-FRAME-OPTIONS (prevent clickjacking
# ------------------------------------------------------------------------------

Header always set X-FRAME-OPTIONS "DENY"


# ------------------------------------------------------------------------------
# X-XXS Portection
# ------------------------------------------------------------------------------

Header always set X-XSS-Protection "1; mode=block"


# ------------------------------------------------------------------------------
# Disable auto detectin of resource type
# to guard agains malicious explotation via MIME sniffing
# ------------------------------------------------------------------------------

Header always set X-Content-Type-Options "nosniff"

# ------------------------------------------------------------------------------
# PROTECT SYSTEM DIRECTORIES
#
# Not necessary when running above webroot.
# ------------------------------------------------------------------------------

RewriteRule ^site/(?!themes) - [F,L]
RewriteRule ^local - [F,L]
RewriteRule ^statamic - [F,L]


# ------------------------------------------------------------------------------
# ROUTE THROUGH INDEX.PHP
# ------------------------------------------------------------------------------

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
@edalzell
Copy link

edalzell commented Dec 2, 2016

What is your site url set to?

@jcohlmeyer
Copy link
Author

My site url is set to https://sustainable-development-goals.iisd.org/ I think ...

Below is my site/settings/settings.yaml file:

license_key: ***
locales:
  en:
    full: en_US
    name: English
    url: https://sustainable-development-goals.iisd.org/
timezone: UTC
date_format: F jS, Y
default_extension: md
filesystems:
  content:
    driver: local
    root: site/content
  storage:
    driver: local
    root: site/storage
  users:
    driver: local
    root: site/users
  themes:
    driver: local
    root: site/themes
    url: /site/themes
app_key: 3Oqal45ffRi3MmuQy92Y7zOnwHDIEtmS
redactor:
  - 
    name: Standard
    settings:
      buttons:
        - formatting
        - bold
        - italic
        - unorderedlist
        - orderedlist
        - html
  - 
    name: Basic
    settings:
      buttons:
        - bold
        - italic
csrf_exclude: [ ]
send_powered_by_header: true
ensure_unique_ids: true

@eminos
Copy link

eminos commented Dec 5, 2016

I'm having the same issue (had it since v2 beta).
It seems to have something to do with cookies/sessions, because after I clear those the website and control panel starts working again (no more redirect loop). My htaccess is more or less "default", only added the https/www redirect.

@jcohlmeyer
Copy link
Author

Looks like the issue is related to the cookie set header in the .htaccess file:

# ------------------------------------------------------------------------------
# Use https only for cookies
# ------------------------------------------------------------------------------

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

This above code is intended to help prevent XXS however it is breaking Statamic randomly when using the control panel over https.

Source: https://geekflare.com/httponly-secure-cookie-apache/

@jackmcdade jackmcdade mentioned this issue Mar 16, 2017
Closed
@jackmcdade
Copy link
Member

This usually just works out of the box, but we've found cases where the Symfony routing component doesn't properly detect your https headers, so we added an explicit setting for it. It'll be in the next release.

@jackmcdade jackmcdade mentioned this issue Mar 16, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
pending release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jackmcdade @jasonvarga @eminos @jcohlmeyer @edalzell