Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm planning on moving a website I got hosted on Forge + DigitalOcean to use HTTPS.
The catch is that I have some API end points which should not redirect HTTP traffic to HTTPS due to compatibility issues with some clients. But for everything else I want it to redirect.
Any suggestions on how I can configure my server for this? (Was planning on using Let's Encrypt).
Well your website is either https or not in my opinion.
Anyway, it's possible but you need to manually adjust your nginx file: https://www.digitalocean.com/community/questions/nginx-how-to-force-redirect-some-urls-to-https
Note: this tutorial is focused on forceing to https, you should do it the other way around ;)
Well your website is either https or not in my opinion.
The site got two sets of clients; the main part is web-browsers. This is what I want to set up HTTPS for. The second part are some API end points which is used by a desktop application. The snag is that this application uses a HTTP library that doesn't follow redirects - and I'm not in position to control this. Because of that the HTTPS cannot be an all-opt-in.
Anyway, it's possible but you need to manually adjust your nginx file: https://www.digitalocean.com/community/questions/nginx-how-to-force-redirect-some-urls-to-https
I'm not very familiar with nginx. I've mainly used it via Forge. The configuration file they describe in that article, is the global for the entire server? Or a per-site configuration? (Can I test this out on my staging site before deploying to my production site? I have both on the same droplet.)
Sad to hear that you can't change that. It doesn't sound secure when you can't handle https at all...
This link I gave you is a per site config. It would be wise to test this indeed on a staging site. However you can also test this with a vagrant box for example. For example Homestead is using nginx as well inside the box, so you can play around there. SSL might be a bit harder, but it's not impossible.
I've been looking closer at the Forge+LetsEncrypt configuration. When you enable SSL on forge it uses some includes to configure the HTTP to HTTPS redirection:
Extract from the main nginx site config.
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/dev.example.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.example.com;
root /home/forge/dev.example.com/public;
# ...
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/dev.example.com/after/*;
Within forge-conf/dev.example.com/before/ssl_redirect.conf the 80 => 443 redirection is done:
# Redirect every request to HTTPS...
server {
listen 80;
listen [::]:80;
server_name .dev.example.com;
return 301 https://$host$request_uri;
}
# Redirect SSL to primary domain SSL...
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# FORGE SSL (DO NOT REMOVE!)
# ...
server_name www.dev.example.com;
return 301 https://dev.example.com$request_uri;
}
Question is, can I modify the files under forge-config? Or do I run the risk of them being updated by forge at some point?
Well Forge won't update your files without contacting you! However when you for example use LetsEncrypt it will update everything once for you, so you don't have to do that manually. So with that you're good to go by changing this manually. Just note that you can't use much of the server settings functionalities from Forge, because they might update your script.
So there is no scheduled maintenance jobs that runs on a forge managed server?
I opened a ticket with Forge support in order to try to clarify what might overwrite the settings - so I can document it in my server's techincal docs.
I'd like to know the answer to this too.
I have a desktop app that contacts an updater file to see if an update is needed. If I do a forced redirect to https://, the app fails to redirect, it can't cope with the 301 redirect. I too have looked at modifying the forge before/* stuff so that any call to an *.xml file will stay port 80 but all else will be redirected.
Grateful if you can update us with what Forge say. Don't want to modify some behind the scenes stuff and it gets reset later...
Thanks
@Gorby - sure thing. I'll post back when I hear about from support.
It seems that it's not too uncommon for HTTP libraries from various languages to be rather bare metal - doesn't automatically follow 301 responses.
I've yet to hear back from Forge support, it's been four working days. Is that normal wait time? I also didn't receive an email confirmation to my support request - I imagined I used to get that.
In the past I've had responses within a day but they've just migrated their servers to new hosts and I've just raised a ticket last night as it can no longer see my AWS servers and I've added the new IP's to my security group. I'm wondering if the migration is taking their time up.
It's been over a week now - no response. Does anyone know of another way to contact Forge support other than that widget on their site?
While I've been waiting for response to figure out what would trigger forge to update the forge-config files I noticed this:
Notice the item dated 14th; "Fixing LetsEncrypt Renewal Scripts". I wonder if that's the kind of scenario that might clash if I were to try to adjust the forge-conf files.
@thomthom I know it has been a while. Need to serve up some http endpoints to a legacy app that I have no control over. Did you ever get an answer to this? If I eliminate the nginx redirects to https will they get overwritten later?
Please or to participate in this conversation.