starred/panel-pelican-dev
1
0
Fork 0
mirror of https://github.com/pelican-dev/panel.git synced 2026-05-04 18:00:48 +03:00
Code Issues 41 Packages Projects Releases 10 Wiki Activity

Apache2 config (.htaccess) not working with SSL-terminating reverse proxy #465

New Issue
Open
opened 2026-02-05 17:38:26 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-05 17:38:26 +03:00
Owner
Copy Link

Originally created by @Bungeefan on GitHub (Oct 10, 2025).

Current Behavior

Due to the rewrite rules in .htaccess, Apache always sends a redirect for every edit file link on the "EditFiles" page (as these always end with a trailing slash), which (if using a reverse proxy and therefore HTTP) redirects to a http:// URL, resulting in the browser not sending the session cookie and the application (incorrectly) showing the login page after the redirect.

I tried every trick (SetEnvIf, RewriteRule in vHost, RemoteIP, ...) I could find to make Apache correctly use the X-Forwarded-Proto header from the proxy for the rewrite rule, but to absolutely no avail.

Other solutions that worked:

  • Forcing Apache to HTTPS on Port 80 (ServerName https://<domain>): https://stackoverflow.com/a/78858892
  • Removing the output of the trailing slash in EditFiles (see below), nevertheless this is probably not the only place this problem arises/could arise.
  • Disabling the rewrite rule in .htaccess
  • Switching to nginx behind nginx, as it doesn't redirect such URLs.

The rewrite rule in question:
1f56b8e114/public/.htaccess (L16-L19)

The forcing of trailing slashes in EditFiles:
1f56b8e114/app/Filament/Server/Resources/Files/Pages/EditFiles.php (L279-L282)

Expected Behavior

The user shouldn't be shown the login page when attempting to edit a file.

But I am unsure who is "at fault" here, the .htaccess rule (correctly) doesn't force a protocol and Apache should probably just fix their X-Forwarded-Proto handling.
However, if using Apache is a supported configuration by this project (which it seems given the docs), I guess it should at least try to work around it/provide guidance.

  • Either by removing cases where such a redirect is even necessary,
  • Adding X-Forwarded-Proto handling to the rule or, if possible, removing the rule.
  • Adding a note in the docs that you have to force https:// for the HTTP Pelican VirtualHost, if Apache is used behind a reverse-proxy.
  • 4th solution I didn't discover yet

Steps to Reproduce

  • Setup Pelican with an http-only Apache and SESSION_SECURE_COOKIE=true
  • Use an HTTPS-handling nginx as reverse-proxy and apply the forwarding config as described by the docs.
  • Open the "EditFiles" page from a server.
  • Click on any file to edit it in the same tab (note: new tabs don't share this problem).

Panel Version

1.0.0-beta26

Wings Version

1.0.0-beta18

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

Is there an existing issue for this?

  • I have searched the existing issues before opening this issue.
  • I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
  • I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Originally created by @Bungeefan on GitHub (Oct 10, 2025). ### Current Behavior Due to the rewrite rules in `.htaccess`, Apache always sends a redirect for every edit file link on the "EditFiles" page (as these **always** end with a trailing slash), which (if using a reverse proxy and therefore HTTP) redirects to a `http://` URL, resulting in the browser not sending the session cookie and the application (incorrectly) showing the login page after the redirect. I tried every trick (`SetEnvIf`, `RewriteRule` in vHost, `RemoteIP`, ...) I could find to make Apache correctly use the `X-Forwarded-Proto` header from the proxy for the rewrite rule, but to absolutely no avail. Other solutions that worked: * Forcing Apache to HTTPS on Port 80 (`ServerName https://<domain>`): https://stackoverflow.com/a/78858892 * Removing the output of the trailing slash in EditFiles (see below), nevertheless this is probably not the only place this problem arises/could arise. * Disabling the rewrite rule in `.htaccess` * Switching to nginx behind nginx, as it doesn't redirect such URLs. --- The rewrite rule in question: https://github.com/pelican-dev/panel/blob/1f56b8e1147647f1b00c307031b63913f446c1f2/public/.htaccess#L16-L19 The forcing of trailing slashes in EditFiles: https://github.com/pelican-dev/panel/blob/1f56b8e1147647f1b00c307031b63913f446c1f2/app/Filament/Server/Resources/Files/Pages/EditFiles.php#L279-L282 ### Expected Behavior The user shouldn't be shown the login page when attempting to edit a file. --- But I am unsure who is "at fault" here, the `.htaccess` rule (correctly) doesn't force a protocol and Apache should probably just fix their `X-Forwarded-Proto` handling. However, if using Apache is a supported configuration by this project (which it seems given the docs), I guess it should at least try to work around it/provide guidance. * Either by removing cases where such a redirect is even necessary, * Adding `X-Forwarded-Proto` handling to the rule or, if possible, removing the rule. * Adding a note in the docs that you have to force `https://` for the HTTP Pelican VirtualHost, if Apache is used behind a reverse-proxy. * 4th solution I didn't discover yet ### Steps to Reproduce * Setup Pelican with an http-only Apache and `SESSION_SECURE_COOKIE=true` * Use an HTTPS-handling nginx as reverse-proxy and apply the forwarding config as described by [the docs](https://pelican.dev/docs/panel/optional-config#nginx-specific-configuration). * Open the "EditFiles" page from a server. * Click on any **file** to edit it in the same tab (note: new tabs don't share this problem). ### Panel Version 1.0.0-beta26 ### Wings Version 1.0.0-beta18 ### Games and/or Eggs Affected _No response_ ### Docker Image _No response_ ### Error Logs ```bash ``` ### Is there an existing issue for this? - [x] I have searched the existing issues before opening this issue. - [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server. - [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
OVERLORD commented 2026-02-05 17:38:30 +03:00
Author
Owner
Copy Link

@Bungeefan commented on GitHub (Oct 10, 2025):

Oh sorry, I just checked Discord again (last time I checked is a few weeks ago, where I made myself a post that didn't receive any answer) and it seems that yesterday someone posted about this/a similar problem with Apache and http:// links, even with X-Forwarded-Proto header.

Thread: https://discord.com/channels/1218730176297439332/1219038617133912084/threads/1425608553481113651

@Bungeefan commented on GitHub (Oct 10, 2025): Oh sorry, I just checked Discord again (last time I checked is a few weeks ago, where I made myself a post that didn't receive any answer) and it seems that yesterday someone posted about this/a similar problem with Apache and `http://` links, even with `X-Forwarded-Proto` header. Thread: https://discord.com/channels/1218730176297439332/1219038617133912084/threads/1425608553481113651
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
not confirmed
pull-request
Mirrored from GitHub Pull Request
 👑 sponsor
💰 fund
🔴 hard
🟡 medium
🟡 medium
🟡 medium
🟢 easy
🟢 easy
🟢 easy
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#465
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?