Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Control Panel to work with https #1140

Closed
jcohlmeyer opened this Issue Dec 2, 2016 · 5 comments

Comments

Projects
None yet
5 participants
@jcohlmeyer
Copy link

jcohlmeyer commented Dec 2, 2016

Expected behaviour

Control Panel to work with https

Actual behaviour

Randomly Statamic produces http links and creates a http redirect loop when using the Control Panel

Steps to reproduce

  1. Deploy a Statamic Site with https
  2. Control panel to function over https

Server configuration

Operating system:
CentOS

Web server:
Apache

PHP version:
5

Statamic version:
2.1.18

Updated from an older Statamic or fresh install:
2.x -> 2.1.18

List of installed addons:

  • Colorpicker

htaccess

If any logs (browser, server, or Statamic) are appropriate...

# ------------------------------------------------------------------------------
# COMMON PHP OVERRIDES
#
# Sometimes editing your php.ini file is impossible or even just annoying.
# Here are some of the most common settings that can (sometimes) be overridden.
# ------------------------------------------------------------------------------

# php_value memory_limit 256M
# php_value post_max_size 16M
# php_value max_execution_time 90
# php_value max_input_time 120
# php_value upload_max_filesize 16M

# ------------------------------------------------------------------------------
# BASE APACHE RULES
#
# When running in a subdirectory, you should uncomment and adjust the
# RewriteBase rule to point to your directory, eg. RewriteBase /directory/
# ------------------------------------------------------------------------------

Options -MultiViews
RewriteEngine On
RewriteBase /

# ------------------------------------------------------------------------------
# Force HTTPS
# ------------------------------------------------------------------------------

# Remove www from address
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} ^new\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect Trailing Slashes...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# ------------------------------------------------------------------------------
# REMOVE TRAILING SLASHES
# ------------------------------------------------------------------------------

#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^(.*)/$ /$1 [L,R=301]


# ------------------------------------------------------------------------------
# STATIC CACHING PROXY
#
# Enable these rules when using static html caching
# to bypass Statamic when a given URL has a cached copy.
# ------------------------------------------------------------------------------

# RewriteCond %{REQUEST_FILENAME}   !-f
# RewriteCond %{REQUEST_METHOD} GET
# RewriteRule ^(.*) static/$1/index.html

# ------------------------------------------------------------------------------
# Mod Expire Headers
# ------------------------------------------------------------------------------

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 minute"
ExpiresByType image/x-icon "access plus 15 minutes"
ExpiresByType image/gif "access plus 15 minutes"
ExpiresByType image/png "access plus 15 minutes"
ExpiresByType image/jpeg "access plus 15 minutes"
ExpiresByType text/css "access plus 15 minutes"
ExpiresByType application/javascript "access plus 15 minutes"
</IfModule>

# ------------------------------------------------------------------------------
# Use https only for cookies
# ------------------------------------------------------------------------------

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# ------------------------------------------------------------------------------
# X-FRAME-OPTIONS (prevent clickjacking
# ------------------------------------------------------------------------------

Header always set X-FRAME-OPTIONS "DENY"


# ------------------------------------------------------------------------------
# X-XXS Portection
# ------------------------------------------------------------------------------

Header always set X-XSS-Protection "1; mode=block"


# ------------------------------------------------------------------------------
# Disable auto detectin of resource type
# to guard agains malicious explotation via MIME sniffing
# ------------------------------------------------------------------------------

Header always set X-Content-Type-Options "nosniff"

# ------------------------------------------------------------------------------
# PROTECT SYSTEM DIRECTORIES
#
# Not necessary when running above webroot.
# ------------------------------------------------------------------------------

RewriteRule ^site/(?!themes) - [F,L]
RewriteRule ^local - [F,L]
RewriteRule ^statamic - [F,L]


# ------------------------------------------------------------------------------
# ROUTE THROUGH INDEX.PHP
# ------------------------------------------------------------------------------

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
@edalzell

This comment has been minimized.

Copy link

edalzell commented Dec 2, 2016

What is your site url set to?

@jcohlmeyer

This comment has been minimized.

Copy link
Author

jcohlmeyer commented Dec 5, 2016

My site url is set to https://sustainable-development-goals.iisd.org/ I think ...

Below is my site/settings/settings.yaml file:

license_key: ***
locales:
  en:
    full: en_US
    name: English
    url: https://sustainable-development-goals.iisd.org/
timezone: UTC
date_format: F jS, Y
default_extension: md
filesystems:
  content:
    driver: local
    root: site/content
  storage:
    driver: local
    root: site/storage
  users:
    driver: local
    root: site/users
  themes:
    driver: local
    root: site/themes
    url: /site/themes
app_key: 3Oqal45ffRi3MmuQy92Y7zOnwHDIEtmS
redactor:
  - 
    name: Standard
    settings:
      buttons:
        - formatting
        - bold
        - italic
        - unorderedlist
        - orderedlist
        - html
  - 
    name: Basic
    settings:
      buttons:
        - bold
        - italic
csrf_exclude: [ ]
send_powered_by_header: true
ensure_unique_ids: true
@eminos

This comment has been minimized.

Copy link

eminos commented Dec 5, 2016

I'm having the same issue (had it since v2 beta).
It seems to have something to do with cookies/sessions, because after I clear those the website and control panel starts working again (no more redirect loop). My htaccess is more or less "default", only added the https/www redirect.

@jcohlmeyer

This comment has been minimized.

Copy link
Author

jcohlmeyer commented Dec 21, 2016

Looks like the issue is related to the cookie set header in the .htaccess file:

# ------------------------------------------------------------------------------
# Use https only for cookies
# ------------------------------------------------------------------------------

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

This above code is intended to help prevent XXS however it is breaking Statamic randomly when using the control panel over https.

Source: https://geekflare.com/httponly-secure-cookie-apache/

@jackmcdade

This comment has been minimized.

Copy link
Member

jackmcdade commented Mar 16, 2017

This usually just works out of the box, but we've found cases where the Symfony routing component doesn't properly detect your https headers, so we added an explicit setting for it. It'll be in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.