Force Some Routes to HTTPS

A site in general, it's best to go all https.

This worked for my purpose:

<?php

namespace App\Http\Middleware;

use Closure;
use URL;

class HttpsRedirect
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if(!app()->environment('local') && $request->isMethod('get') && !$request->ajax()) {
            if(
                $request->is('path1*') ||
                $request->is('path2*') ||
                $request->is('path3*')
            ) {
                if(!$request->secure()) {
                    return redirect()->secure($request->path());
                }
            }
            else if($request->secure()) {
                URL::forceScheme('http');
                return redirect($request->path());
            }
        }
        return $next($request);
    }
}

Kernel.php

<?php

namespace App\Http;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * These middleware are run during every request to your application.
     *
     * @var array
     */
    protected $middleware = [
        \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \App\Http\Middleware\HttpsRedirect::class,
    ];

I'd also just run everything through https. Google even gives preference in rankings to sites running https now. There's really no reason not to.

https://motherboard.vice.com/en_us/article/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

What is the Apache overhead when running HTTPS?

It depends on the amount of connections you make. If you combine your js and css files so that you only end up with a few requests to build up your page, the performance impact is negligible.

Using SSL requires a handshake on connections, which is not required on default HTTP. This is why HTTPS is a little slower than its unsecured counterpart. The fewer connections there are to be shaken about, the lower the performance impact will be.