https for the full laravel app?

Published 4 months ago by SomeT

How do I / what is the easiest way to set up my laravel app so that it forces https rather than http on all directories, routes, pages etc... contained within?

Best Answer (As Selected By SomeT)
Cronix

You still need to do it at the server level and just redirect all http traffic to https via your apache or nginx config. Cloudfare is not your server.

tykus
tykus
4 months ago (623,240 XP)

Enforce this at the web server rather than app-level. Implementation will depend on your webserver

SomeT

I done this already via cloud flare but a lot of URL’s eg forgot password and such which have been auto generated by php artisan still go back to http and cause issues with my site therein. I need to do it at the app level to resolve this I just can’t work out how?

Cronix
Cronix
4 months ago (652,820 XP)

You still need to do it at the server level and just redirect all http traffic to https via your apache or nginx config. Cloudfare is not your server.

SomeT

I thought cloudflare was at least somewhat what he meant, I am using nginx via laravel forge, is there an easy way for me to do this? What should I be googling, file I should be looking in etc...? Sorry still a bit new to this so this is really tripping me up.

jlrdw
jlrdw
4 months ago (238,490 XP)
SomeT

Thanks, but as that is a completely different answer I am now confused as to which is the correct and best way to now achieve this? Additionally what is the point of https://laravel.com/docs/5.3/helpers#method-secure-asset this if your meant to do it at the server level?

SomeT

I believe the best solution at this point is disable https completely on cloud flare as it causes nothing but issues, then amend it on the server end as @Cronix mentioned. Many thanks for your responses they have given me a lot to think about.

Cronix
Cronix
3 months ago (652,820 XP)

That's really the only way to guarantee it will work everywhere. Yes you can use secure_asset() and secure_url() and other helpers, but unless you did your entire app that way, it may not get everything. Like if you manually entered a url in something like <a href="http://yoursite.com">Home</a> without using a helper, then nothing will fix that unless you manually change the http to https in that link, or force it at the server level. Another place people often have it hardcoded is images in css or within javascript (ajax calls, etc) and things like that that tend to get buried under the hood. That's why it's just best to do it at the server level since it will rewrite all http to https and issue a 301 redirect.

It would still be better to fix all of your urls in your code to use https so the server doesn't have take an extra step and redirect, but having it enforced at the server level will fix any that you may have missed.

SomeT

@Cronix At the moment I have in app.blade.php: <script src="{{ secure_asset('js/app.js') }}"></script> and in the same file <link href="{{ secure_asset('css/app.css') }}" rel="stylesheet"> is it ok to leave this as they are with https disabled in cloudflare? For now I have decided to use only http until I can fix this on the server end, but I presume and please correct me if I am wrong that secure_asset() is a laravel helped that is dual workable? By this I mean if I have an http only domain will my code in laravel all still work with this helper in place or should I change them both to just asset() ?

Cronix
Cronix
3 months ago (652,820 XP)

secure_x functions will return https, which is ok as long as you have your ssl cert in place.

It shouldn't matter if assets are using https, but it would matter if the whole page was requested with https. If the page is requested with https, then everything on the page (images, css, scripts, etc) must also be served https on that page.

SomeT

@Cronix So basically I am best changing these two back to just asset() for now if I am only using http and not https at all?

Cronix
Cronix
3 months ago (652,820 XP)

If by "only using" meaning you don't have an active ssl cert on the server, then yes.

secure_asset() just calls asset(), with the 2nd parameter set to true.

These are equivalent and will both produce https urls:

secure_asset('/js/app.js');
asset('/js/app.js', true);
Vilfago

It's not easier to do it within the .htaccess ?

It's what I did, so I wonder if I did a big mistake '-.-

SomeT

Ok many thanks, your detailed answers have given me a lot more insight into how this all works and such which is useful for a beginner to laravel.

SomeT

@Vilfago I believe that is what @Cronix meant, basically you edit the .htaccess I know someone else who did it this way in laravel and it works fine I believe. As to how exactly I guess that is a whole other question, feel free to answer that but I don't mind working out that part on my own.

Please sign in or create an account to participate in this conversation.