statamic / v2-hub

Statamic 2 - Feature Requests and Bug Reports
https://statamic.com
95 stars 5 forks source link

Control Panel to work with https #1140

Closed jcohlmeyer closed 7 years ago

jcohlmeyer commented 7 years ago

Expected behaviour

Control Panel to work with https

Actual behaviour

Randomly Statamic produces http links and creates a http redirect loop when using the Control Panel

Steps to reproduce

  1. Deploy a Statamic Site with https
  2. Control panel to function over https

Server configuration

Operating system: CentOS

Web server: Apache

PHP version: 5

Statamic version: 2.1.18

Updated from an older Statamic or fresh install: 2.x -> 2.1.18

List of installed addons:

htaccess

If any logs (browser, server, or Statamic) are appropriate...

# ------------------------------------------------------------------------------
# COMMON PHP OVERRIDES
#
# Sometimes editing your php.ini file is impossible or even just annoying.
# Here are some of the most common settings that can (sometimes) be overridden.
# ------------------------------------------------------------------------------

# php_value memory_limit 256M
# php_value post_max_size 16M
# php_value max_execution_time 90
# php_value max_input_time 120
# php_value upload_max_filesize 16M

# ------------------------------------------------------------------------------
# BASE APACHE RULES
#
# When running in a subdirectory, you should uncomment and adjust the
# RewriteBase rule to point to your directory, eg. RewriteBase /directory/
# ------------------------------------------------------------------------------

Options -MultiViews
RewriteEngine On
RewriteBase /

# ------------------------------------------------------------------------------
# Force HTTPS
# ------------------------------------------------------------------------------

# Remove www from address
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} ^new\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect Trailing Slashes...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# ------------------------------------------------------------------------------
# REMOVE TRAILING SLASHES
# ------------------------------------------------------------------------------

#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^(.*)/$ /$1 [L,R=301]

# ------------------------------------------------------------------------------
# STATIC CACHING PROXY
#
# Enable these rules when using static html caching
# to bypass Statamic when a given URL has a cached copy.
# ------------------------------------------------------------------------------

# RewriteCond %{REQUEST_FILENAME}   !-f
# RewriteCond %{REQUEST_METHOD} GET
# RewriteRule ^(.*) static/$1/index.html

# ------------------------------------------------------------------------------
# Mod Expire Headers
# ------------------------------------------------------------------------------

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 minute"
ExpiresByType image/x-icon "access plus 15 minutes"
ExpiresByType image/gif "access plus 15 minutes"
ExpiresByType image/png "access plus 15 minutes"
ExpiresByType image/jpeg "access plus 15 minutes"
ExpiresByType text/css "access plus 15 minutes"
ExpiresByType application/javascript "access plus 15 minutes"
</IfModule>

# ------------------------------------------------------------------------------
# Use https only for cookies
# ------------------------------------------------------------------------------

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# ------------------------------------------------------------------------------
# X-FRAME-OPTIONS (prevent clickjacking
# ------------------------------------------------------------------------------

Header always set X-FRAME-OPTIONS "DENY"

# ------------------------------------------------------------------------------
# X-XXS Portection
# ------------------------------------------------------------------------------

Header always set X-XSS-Protection "1; mode=block"

# ------------------------------------------------------------------------------
# Disable auto detectin of resource type
# to guard agains malicious explotation via MIME sniffing
# ------------------------------------------------------------------------------

Header always set X-Content-Type-Options "nosniff"

# ------------------------------------------------------------------------------
# PROTECT SYSTEM DIRECTORIES
#
# Not necessary when running above webroot.
# ------------------------------------------------------------------------------

RewriteRule ^site/(?!themes) - [F,L]
RewriteRule ^local - [F,L]
RewriteRule ^statamic - [F,L]

# ------------------------------------------------------------------------------
# ROUTE THROUGH INDEX.PHP
# ------------------------------------------------------------------------------

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
edalzell commented 7 years ago

What is your site url set to?

jcohlmeyer commented 7 years ago

My site url is set to https://sustainable-development-goals.iisd.org/ I think ...

Below is my site/settings/settings.yaml file:

license_key: ***
locales:
  en:
    full: en_US
    name: English
    url: https://sustainable-development-goals.iisd.org/
timezone: UTC
date_format: F jS, Y
default_extension: md
filesystems:
  content:
    driver: local
    root: site/content
  storage:
    driver: local
    root: site/storage
  users:
    driver: local
    root: site/users
  themes:
    driver: local
    root: site/themes
    url: /site/themes
app_key: 3Oqal45ffRi3MmuQy92Y7zOnwHDIEtmS
redactor:
  - 
    name: Standard
    settings:
      buttons:
        - formatting
        - bold
        - italic
        - unorderedlist
        - orderedlist
        - html
  - 
    name: Basic
    settings:
      buttons:
        - bold
        - italic
csrf_exclude: [ ]
send_powered_by_header: true
ensure_unique_ids: true
eminos commented 7 years ago

I'm having the same issue (had it since v2 beta). It seems to have something to do with cookies/sessions, because after I clear those the website and control panel starts working again (no more redirect loop). My htaccess is more or less "default", only added the https/www redirect.

jcohlmeyer commented 7 years ago

Looks like the issue is related to the cookie set header in the .htaccess file:

# ------------------------------------------------------------------------------
# Use https only for cookies
# ------------------------------------------------------------------------------

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

This above code is intended to help prevent XXS however it is breaking Statamic randomly when using the control panel over https.

Source: https://geekflare.com/httponly-secure-cookie-apache/

jackmcdade commented 7 years ago

This usually just works out of the box, but we've found cases where the Symfony routing component doesn't properly detect your https headers, so we added an explicit setting for it. It'll be in the next release.