May Sale! All accounts are 40% off this week.

roulendz's avatar

How I can force all my routes to be HTTPS not HTTP

How I can force all my routes to be HTTPS not HTTP

Because http works good,

but as I go to https all my styles do not get loaded also

action('HomeController@home');

<link rel="stylesheet" href="{{ asset('frontend/css/app.css') }}">

Thans!

1 like
30 replies
TheNodi's avatar

@roulendz

Have you tried set the APP_URL option in your .env file to https?

Mine has been working so far and it's the only change I've made.

1 like
willvincent's avatar

I've got a helpful little middleware I use that can be applied to all routes or just specific ones:

<?php

namespace App\Http\Middleware;

use Closure;

class ForceSSL
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if (!$request->secure() && in_array(env('APP_ENV'), ['stage', 'production'])) {
            return redirect()->secure($request->getRequestUri());
        }

        return $next($request);
    }
}

But, if you want to enforce SSL on all routes, you're probably best off doing that with your apache/nginx config.

7 likes
Snapey's avatar

I do it in the apache config.

Create a virtualhost like;

<VirtualHost *:80>
   ServerName rotarota.net
   ServerAlias www.rotarota.net
   Redirect permanent / https://rotarota.net/
</VirtualHost>

Anything coming in on port 80 is bounced to the https version

I have made NO changes in the laravel code, and its going to be a lot quicker than booting all the framework only to redirect

3 likes
TheNodi's avatar

I thought the problem was assets being loaded using HTTP from an HTTPS page (causing them to not be loaded at all for security reasons).

If you want to force the site to be loaded from HTTPS I prefer to do it in the web server (See How to force or redirect to SSL in nginx? ).

2 likes
roulendz's avatar
roulendz
OP
9 years ago
Best Answer
Level 6

At the and I used

if (env('APP_ENV') === 'production') {
    URL::forceSchema('https');
}

I added it on my web.php routes file at the top To force on all pages!

I am using Heroku, as I am not too experienced with it yet I went easiest route for me :)

14 likes
Nihir's avatar

@roulendz, I think it's working on the old laravel version. When I Used it in my project, it gave a 500 server error in my laravel nine productions.

Tray2's avatar

@Nihir Open your own thread to ask for help. You should handle any http -> https in the webserver config instead of programatically.

srikanthgopi's avatar

add the code to your .htaccess file

RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

All the routes will be now forced to use https

DivDax's avatar

I would place this in the AppServiceProvider in the boot() method, or maybe create a ForceHttpsMiddleware

if($this->app->environment('production')) {
    URL::forceScheme('https');
}
7 likes
ahmadamin636's avatar

If you want to force all your routes to be HTTPS , here is a solution that worked for me.

First create a middleware.

php artisan make:middleware ForceSSL

This is what your middleware should look like.

jack's avatar

For those wondering about this "Issue" here's what I found...

I deployed my laravel app to Azure App Services.

In Azure app services, the app gets served entirely as an http app. Azure then uses a proxy to add https

The problem is, Laravel /sees/ the request as http.

The documentation states the url helpers base the http/https off the current request, which, in azure, always looks like http.

While it's true that you can do some modRewrite type stuff to force those http URLS to map to an HTTPS url, that doesn't really help , because the pages still render to the browser with http links.

So it's necessary to do something like Roulendz did to force laravel to render http links.

dimsav's avatar

If you're trying to make this work with laravel 5.8+, do this:

// AppServiceProvider.php

public function boot()
{
    if (env('APP_ENV') !== 'local') {
        URL::forceScheme('https');
    }
}
5 likes
EmilMoe's avatar

Wouldn't it make sense to build into the core?

Anyway I changed my approach a bit from @dimsav

if (env('APP_FORCE_HTTPS', false)) {
    URL::forceScheme('https');
}
Snapey's avatar

@emilmoe because with the correct hosting setup, this is never required.

David-R's avatar

Same solution used here - Unfortunately, I am having a Laravel app behind a load balancer redirecting HTTPS connections to HTTP connection

File modified : app/Providers/AppServiceProvider.php

Line added to the function boot() : URL::forceScheme('https');

m-naderian's avatar

That's a good way to solve your problem. But when deploying a Laravel application you should remove the .env file and use it only on your local development environment.

Instead, set all your production configurations inside the config directory and change your code to this:

if (config('app.env') === 'production') {
    URL::forceSchema('https');
}
egulhan's avatar

hey. it should be:

\URL::forceScheme('https');

*** not Schema

3 likes
abbasimehdi's avatar

youre .env file is empty or removed,check youre .env file

devtiagofranca's avatar

In app/Providers/AppServiceProvider.php Add this lines:

    public function boot(): void
    {
       if (app()->isProduction()) {
            ($this->{'app'}['request'] ?? null)?->server?->set('HTTPS','on');
            \Illuminate\Support\Facades\URL::forceScheme('https');
        }
   }
1 like
dhmm's avatar

I think you should do it from the server side

luckydead's avatar

Hello, i have made my changes according to all information, please confirm me is this the correct way:

use Illuminate\Support\Facades\URL;

public function boot()
    {
		//Lets set up HTTPS protocol for all variants
		if (env('APP_ENV') === 'production' && env('ENABLE_HTTPS_SUPPORT') === 'True') {
        $this->app['request']->server->set('HTTPS','on'); // Pagination Links support HTTPS
        URL::forceScheme('https');
        }
		if (env('APP_ENV') === 'demo' && env('ENABLE_HTTPS_SUPPORT') === 'True') {
        $this->app['request']->server->set('HTTPS','on'); // Pagination Links support HTTPS
        URL::forceScheme('https');
        }
		if (env('APP_ENV') === 'local' && env('ENABLE_HTTPS_SUPPORT') === 'False') {
        $this->app['request']->server->set('HTTPS','off'); // Pagination Links support HTTP
        }
		
        Paginator::useBootstrap();
    }
Snapey's avatar

@luckydead Set Trusted Proxies if you are behind an SSL terminating service such as Cloudflare

1 like
luckydead's avatar

@Snapey thanks for the remark regarding cloudflare and so one. You are right domain is put on cloudflare dns and this will be required right?

  • But if website is not added to cloudflare or other dns is that required to be = '*' ? or its recommended not to be added ?
class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array<int, string>|string|null
     */
    protected $proxies = '*';
1 like
Snapey's avatar

@luckydead not sure what you mean, but trust proxies is the way to go rather than force https scheme.

1 like
luckydead's avatar

@Snapey but by enable trusted ip all range its not secure method correct me if i'm wrong, but also fetch cloudflare or other website ip's is impossible to do. As i read information by default it should be $proxies; and using only https solve the problem with cloudflare and other dns

Merklin's avatar

You can also modify the .htaccess file in the public folder like this:

	RewriteEngine On

    # Always redirect to HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Please or to participate in this conversation.