XF 2.1 Problem with jumping back to root domain.

[RallyFan]

Hi all,

The other week @djbaxter helped me out with an issue here ( https://xenforo.com/community/threads/new-install-need-directory-help.178618/ ) regarding directories.

I figured from there that all was well, except for a bug where under AdminCP > Setup (where everytime I saved I'd get sent back to https://www.mydomain.com/). I could live with that, however the problem is manifesting elsewhere when will impact the forum.

My forum sits at https://www.mydomain.com/community, and my main wordpress frontend at https://www.mydomain.com.

I've noticed with several things on the forum if I click them, I get diverted back to https://www.mydomain.com, instead of https://www.mydomain.com/community.

Best examples of this is when I log into the forum, type in username and password and press login, and it goes straight to https://www.mydomain.com, instead of https://www.mydomain.com/community/

NOTE: Happens regardless of Index Page Route, so it's not that.

Appreciate any help on this one. I suspect it's something simple as this is a pre production forum setup to test everything.

Thank you!

 

[RallyFan]

Big thank you to @AndyB for helping me track down the issue.

For others wondering or who get the same problem, the issue appears to be within my root .htaccess file (mostly likely a rewrite).

Will trial and error it tomorrow (as its almost midnight here), and report back exactly what line did the damage (as it's possible it's a Wordpress plugin setting has added it).

 

[RallyFan]

For anyone else having this problem, it turned out NOT to be a Rewrite rule, but rather a Referrer Policy Header setting, which some security programs will lock down themselves for you.

In my case I always set it automatically, and therein lied the issue.

I had it set to:
Header always set Referrer-Policy: strict-origin

Ended up having to set it at:
Header always set Referrer-Policy: strict-origin-when-cross-origin

Makes logical sense if you read up about it here: https://scotthelme.co.uk/a-new-security-header-referrer-policy/

strict-origin

This value is similar to origin above but will not allow the secure origin to be sent on a HTTP request, only HTTPS.

origin-when-cross-origin
The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.

strict-origin-when-cross-origin
Similar to origin-when-cross-origin above but will not allow any information to be sent when a scheme downgrade happens (the user is navigating from HTTPS to HTTP).