Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

harryg's avatar

Generating secure routes on Heroku with cloudflare ssl

I have a Laravel 5.2 app running on Heroku and have set up a custom domain. I am also taking advantage of free SSL offered by Cloudflare. This is described in this official Cloudflare guide. It works fully because Heroku offer ssl by default for *.heroku.com.

The problem I'm having is that routes generated by the route() helper function, or the FormHelper route array key (Form::open(['route' => 'foo'])) are not generating https urls. The domain however is correctly using my custom one rather than the heroku one. I'm not sure of the cause of this but it seems Laravel thinks the request is somehow http rather than https, even though Cloudflare is set to use full SSL.

Has anyone got any experience of using Cloudflare and Heroku in this way and how to solve it, aside from hardcoding relative URLs in the views?

Update: It seems even when on the https heroku domain Laravel is still generating http urls. I assume this is due to some sort of load balancer or proxy that Heroku uses.

0 likes
4 replies
IcyApril's avatar

Hi;

Looks like you're using CloudFlare in Flexible SSL mode, which means the connection to the origin web server is unencrypted; therefore Laravel thinks the entire connection is over HTTP.

Are you using an Apache web server? If so, if you install the Mod_Cloudflare plugin, your issue will be resolved: https://www.cloudflare.com/resources-downloads#mod_cloudflare

If not; you will need another trusted reverse proxy solution to whitelist CloudFlare IPs so the X-Forwarded-Proto header can be trusted. There is a package to do this here: https://github.com/fideloper/TrustedProxy Once you have this installed use a list of CloudFlare IPs at: https://www.cloudflare.com/ips

2 likes
harryg's avatar

I'm actually using nginx but can easily change to Apache2 by editing my Heroku buildpack. I'm not sure exactly how to install mod_cloudflare on Heroku however. Their docs do not seem to say how to add apache modules.

Thanks for your answer so far though. That's really helpful.

Btw, I am using full SSL so even the connection from CF to Heroku is encrypted. This is because Heroku have SSL enabled for all *.heroku.com addresses.

Edit I have installed Fideloper's trusted proxy package and enabled it for Cloudflare's IPs but routes are still being incorrectly generated.

bashy's avatar

That's strange. Have you looked on all $_SERVER vars to see if it's passing it along

harryg's avatar

Yes I server vars contain all the x-forwarded-* headers but still doesn't work properly. I tried forcing https on the laravel app which works until you get redirected. Then it thinks it's on *.heroku.com and you get an SSL error.

Please or to participate in this conversation.