Enable HTTPS via Cloudflare on Laravel 4.1 app

On all of my Laravel applications I had to select "full" for the encryption or else it would cause issues. Not sure if this is what you are missing, but worth a shot.

Thanks @michaelmcmullen but where do you mean to select 'full', somewhere on Cloudflare or in the application?

You will find the option under the "Crypto" tab

http://imgur.com/BEQNxCA

@michaelmcmullen I tried it and it did not work

@Zod

Check your browsers console, you might find your css / js and fonts are hardcoded to http - maybe there is something you've done which is forcing the protocol....?

This means nothing to anyone

it did not work

@bashy I tried enabling full SSL under Crypto in CloudFlare just as suggested by @michaelmcmullen

Yes but what "does not work"? What happens? Any errors?

@bashy pages are all messed up, no styling present

just checked the errors in console many errors about sytlesheets, bootstrap, favicons and so on "was loaded over HTTPS, but requested an insecure stylesheet ... This request has been blocked; the content must be served over HTTPS."

not sure what this means... all styles javascript etc declared as follows @section('css') {{ HTML::style('css/sputnikstyles.min.css') }} favicons declared like this in meta href="{{ URL::asset('apple-touch-icon-180x180.png') }}"

You should put in a redirect on your webserver to redirect all http request to the https version. That should fix most of your problems.

If you're using Apache:

RewriteEngine On

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx:

server {
       listen 80;
       server_name example.com;
       return 301 https://$server_name$request_uri;
}

You could also change your HTML helpers to use the secure version: https://laravel.com/docs/4.2/helpers

@TylerODonnell I tried editing the .htaccess and got the following in the console as an error "net::ERR_TOO_MANY_REDIRECTS"

@Zod You probably have another redirect rule that is redirecting you to the www http version of the domain. Can you post your entire .htaccess file?

No need to change htaccess stuff...

Your assets are included via HTTP, not HTTPS. Use one of these to make it secure

URL::asset('css/foo.css', true);
URL::secureAsset('css/foo.css');

URL::to('foo/bar', $parameters, true);

@bashy Yes that would work - You'd have to change each one by hand though. Forcing HTTPS would still be required if you would like all users to have the HTTPS version. Laravel will also use the current request scheme to generate the appropriate asset scheme: https://github.com/laravel/framework/blob/dca2d68e1d3f21ff1d119eb442cfb8239fed92f1/src/Illuminate/Routing/UrlGenerator.php#L269

@TylerODonnell I thought he meant that resources were still being requested via HTTP via the HTTPS protocol? Forcing HTTPS (redirection wise) won't help that if so.

In CloudFlare you can force HTTPS easily with page rules.

@bashy is totally correct. I overlooked the CloudFlare part. Since CloudFlare is sitting in the middle, your app won't necessarily get a request with the https scheme meaning the Assets and Url facade/helpers will still generate urls using http and not https like it should.

@bashy would you know whether I need to do anything with the following types of declarations

{{ HTML::script('js/jquery-1.11.3.min.js') }}
{{ Session::get('message') }}
{{ HTML::style('css/bootstrap.min.css') }}
{{ Form::label('name') }}
{{ Croppa::url('/upload/images/' . $image->path, 205, 130, array('quadrant(c)')) }}
{{ HTML::link('article', 'return to peace banner list'); }}

Do I need to add $parameters, true to every declaration?

@Zod If those are returning http:// protocol, you need to make them secure by passing 3 arguments and the last being true. You can send null or an empty array for second.

I would first check if the server is using HTTPS (443).

In the routes file (some route), return/dd these;

Request::getPort(); //  80/443 etc
Request::secure(); // boolean I believe

If it's HTTPS (and the correct port; 443 by default), then you can carry on making those paths secure.

@TylerODonnell the .htaccess as it currently is...

<IfModule mod_rewrite.c>

Options -MultiViews
RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
        
RewriteCond %{HTTP_HOST} ^mysite\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mysite\.net$
RewriteRule ^/?$ "http\:\/\/mysite\.net\/index\.php\/" [R=301,L]


# added to stop hotlinking
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.net/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png|jpg)$ /img/nohotlink.jpe [L]


</IfModule>

# Prevent Apache from serving .ht* files:
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

@bashy the response from the die dump was Port 80 & bool(false) - not sure how to proceed ...

Hi @Zod, Unless you install a cert on your site and enable full HTTPS support inside CloudFlare the request FROM CloudFlare will always be http regardless of how the client asks for the resources.

If you look at the source for your page you will probably see http references to your images and css etc.

Personally, I avoid using the protocol whenever possible. So instead of

http://example.com/image.png
I would use:
//example.com/image.png
or just 
/image.png

You could always create a utility function that stripped the protocol from the url!

so it would look like:

{{ removeProtocolFromURL( HTML::script('js/jquery-1.11.3.min.js') ) }}
{{ removeProtocolFromURL( HTML::style('css/bootstrap.min.css') ) }}

Otherwise you could create a Middleware layer to transform your page source.

@MarkLL Yeah, I believe they've tried that per this reply

Zod — 2 days ago bashy I tried enabling full SSL under Crypto in CloudFlare just as suggested by michaelmcmullen

Hi @bashy, I found it took a good 48 hours before I could enforce https (in a WP site) when I last enable ssl with cloudflare, so it was not smooth.

Never the less, there is no real clear indication, above, that a certificate was actually installed. Which is the only way the "full" option works.

So removing the protocol from all resource URLs is the easiest way to work around the issue IMHO.

@MarkLL I've just checked my version of Laravel in composer.json and I'm on 4.1, Middleware did not even exist then in Laravel, so I guess I'm stuck with changing every single declaration if I want to pursue this - hrumph! Also I do not have a SSL certificate.

Try changing the url in app/config/app.php to include the https. I believe this is the url used to generate the asset urls.

@spekkionu do you mean the Application URL - which is currently 'url' => 'http://localhost', how would I include HTTPS?

Hi @Zod, you could still utilize the wrapper function in your blade templates as I suggested above. (e.g. removeProtocolFromURL())

TBH, it would probably just be easier to get an SSL cert and then you can enable "full" https support in CloudFlare.

@saurabhd worked with me. Thanks!!!

@saurabhd Thanks, worked for me as well!