Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

UnFukWitAble's avatar

SSL Issue with Laravel on production server using Apache

Hi, I have Apache 2.46, running on RHEL 7.5 server with an OV SSL certificate configured using AWS.

This a fresh application made using laravel new blog. All I have done is change permissions for storage and bootstrap/cache directories (the proper way) and setup the basic application config (database, env, etc).

My httpd.conf is setup to serve everything from /var/www/html/public/ and my Laravel application is inside /var/www/html/.

I am encountering two issues, which don't seem to be documented anywhere, maybe someone here can help me.

The SSL works on the homepage, works on both HTTP and HTTPS. However, when I visit /home (produced from make:auth) it only works over HTTP. If I visit it from HTTPS it will look like this (see image below).

alt text

How do you go about properly setting up Laravel for HTTPS? I usually add

#<VirtualHost *:80>
#   RewriteEngine On
#   RewriteCond %{HTTP:X-Forwarded-Proto} =https
#   RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
#</VirtualHost>

to the httpd.conf, but adding this now creates a too many redirects error. I would like to force HTTPS for all requests. Also for some reason, running Laravel creates 503 errors , haven't been able to find out why.

.env

APP_NAME=Laravel                                                                                                                                                                                                                               
APP_ENV=production                                                                                                                                                                                                                             
APP_KEY=base64:{my_key}                                                                                                                                                                                    
APP_DEBUG=true                                                                                                                                                                                                                                 
APP_URL=https://www.{my_domain}.com/

.htaccess

<IfModule mod_rewrite.c>                                                                                                                                                                                                                           
    <IfModule mod_negotiation.c>                                                                                                                                                                                                                   
        Options -MultiViews -Indexes                                                                                                                                                                                                               
    </IfModule>                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                   
    RewriteEngine On                                                                                                                                                                                                                               
    RewriteBase /                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                   
    # Handle Authorization Header                                                                                                                                                                                                                  
    RewriteCond %{HTTP:Authorization} .                                                                                                                                                                                                            
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]                                                                                                                                                                                  
                                                                                                                                                                                                                                                   
    # Redirect Trailing Slashes If Not A Folder...                                                                                                                                                                                                 
    RewriteCond %{REQUEST_FILENAME} !-d                                                                                                                                                                                                            
    RewriteCond %{REQUEST_URI} (.+)/$                                                                                                                                                                                                              
    RewriteRule ^ %1 [L,R=301]                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                   
    # Handle Front Controller...                                                                                                                                                                                                                   
    RewriteCond %{REQUEST_FILENAME} !-d                                                                                                                                                                                                            
    RewriteCond %{REQUEST_FILENAME} !-f                                                                                                                                                                                                            
    RewriteRule ^ index.php [L]                                                                                                                                                                                                                    
</IfModule>

httpd.conf

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html/public"

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

<Directory "/var/www/html/public">
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

I am pretty sure this is due to the asset() and route() methods used in resources/views/layouts/app.blade.php but where do I configure if this returns HTTP or HTTPS? I have .env set to use HTTPS?

0 likes
3 replies
lostdreamer_nl's avatar
lostdreamer_nl
8 years ago
Best Answer
Level 53

You can set the second parameter of the asset() and route() methods to true to force them into secure (SSL) mode.

Strangely though, if you do not set the second parameter, it should be picked up from the current $request->root()

You can also call:

app('url')->forceSchema('https');
// or  app('url')->forceSchema( request()->getScheme() ); to force all assets to be the same schema as the current request

somewhere (in a Provider for instance) to force everything (asset() url() etc.) to be HTTPS

bashy's avatar

Do you use a proxy? Laravel will write the URLs with the same protocol it reads from the server headers. If it's returning HTTP, it means it sees HTTP (usually a reverse proxy).

You will need to force the protocol to HTTPS as lostdreamer_nl stated.

1 like
UnFukWitAble's avatar

That did the trick. By the way looks like forceSchema() was replaced with forceScheme() at some point.

Please or to participate in this conversation.