I have a problem, my website is running on Laravel 5, I have set up SSL cert and configured it using Load Balancer in AWS. Set up listeners for HTTP(80) and HTTPS(443). SSL checker seems fine. I can access https://www.mydomainname.com and it directs to a secure page.
However everytime I enter www.mydomainname.com on any browser it leads to a not secure page, when I navigate to another page like mydomainname.com/business its secured.
My AppServiceProvider conf:
public function boot()
{
if($this->app->environment('production')) {
\URL::forceScheme('https');
}
}
\URL::forceScheme('https'); will not redirect to https, it is used to build links with https inside app.
If you want redirect in Laravel you can use middleware:
public function handle($request, Closure $next) {
if (!$request->secure()) {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
Of course, the best way is to use redirect with apache/nginx.
Related
I deployed my website, and used this code to enforce that the protocol used is HTTPs
\Illuminate\Support\Facades\URL::forceScheme('https');
in the AppServiceProvider.
When I visit my website, it uses HTTP by default and I have to manually change 'http' to 'https' in the address bar and then the SSL certificate works fine and I can fill all forms securely.
How can I enforce that when the user visits the website, HTTPs runs not HTTP
Pls try this,
Create file HttpsProtocol.php locate in app/Http/Middleware, add below code:
<?php
namespace App\Http\Middleware;
use Closure;
class HttpsProtocol {
public function handle($request, Closure $next)
{
if (!$request->secure()) {
return redirect()->secure('/');
}
return $next($request);
}
}
?>
add this line to $middlewareGroups section in app/Http/Kernel.php
\App\Http\Middleware\HttpsProtocol::class,
Enjoy!
Add this tag to your root page head section.(home.blade.php,welcome.blade.php ...)
<head>
... other tags
#if(env('APP_ENV') === 'production')
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
#endif
</head>
And inside boot function app/Providers/AppServiceProvider.php Add :
public function boot()
{
if (env('APP_ENV') === 'production') {
$this->app['request']->server->set('HTTPS', true);
}
}
}
I used \Illuminate\Support\Facades\URL::forceScheme('https');
however, my first page was still loaded in HTTP and other subsequent requests were in HTTPs.
To fix this, I redirected the route at "/" to a clone route "/welcome" which returns the view which "/" was supposed to return.
From that point onwards HTTPs is used.
I could not redirect HTTP to HTTPs in the server because I use Elastic beanstalk and the proposed commands in the /.ebextensions config file didnt work, so my solution is as close to fixing the problem as I could get
as we know when we code on localhost we can go directly to dashboard admin on our website without login first by typing the link. so how we can stop that? so if we want to access the admin dashboard we really have to log in first
use laravel middleware to limit accesses ... you can use auth middleware like:
Route::get('/profile', function () {
//
})->middleware('auth');
for more info visit laravel docs
use laravel middleware in your web.php if you are using a simple function for your route
Route::get('/admin/dashboard',function () {
return view....``
})->middleware('auth');
Or you can use a constructor in your Controller to limit access for all function in this controller
public function __construct()
{
$this->middleware('auth');
}
//This is the middle ware
public function handle($request, Closure $next)
{
if(auth()->user()->isAdmin()) //isAdmin is a function in the User model which checks if the user is admin or not
{
return redirect('/admin');
} else {
return redirect('/home');
}
return $next($request);
}
//I already registered this middleware in kernel as well as verifyUser
Route::middleware(['auth', 'verifyUser'])->group(function() {
Route::get('/home', 'HomeController#index')->name('home');
Route::get('/admin', 'AdminController#index')->name('admin');
Route::get('/users/profile', 'UserController#view')->name('users.view-profile');
Route::get('/users/edit_profile', 'UserController#edit')->name('users.edit-profile');
});
Th main problem here is it shows this error in the browser
The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
You're telling Laravel to redirect admins to /admin, and non-admins to /home.
However, you've made /admin and /home subject to that middleware, too, so when the user gets to /home it redirect them to /home again (and again, and again, and again, forever).
You likely need two changes:
A new middleware, applied only to admin routes, that only redirects non-admins away from those routes.
Put your home/admin logic as a one-off post-login step instead of on every pageview. See the path customization section of the Authentication docs.
The following handles the Redirect on my Laravel-Application after Authentication:
protected function sendLoginResponse(Request $request)
{
$request->session()->regenerate();
$this->clearLoginAttempts($request);
//dd(redirect()->intended());
return $this->authenticated($request, $this->guard()->user())
?: redirect()->intended($this->redirectPath());
}
This worked fine on my local machine, but not on the production server running Elastic Beanstalk.
The dd() in my code there shows the correct path on both environements, but on production it redirects to the url /. Why?
It could be that because you use Amazon Servers which are load balanced.
The Load balancing works this way: The client uses HTTPS to connect to the Load balancing domain, but the load balancer itself forwards the requests in HTTP to the actual servers. This implies that the servers always see the requested URL as HTTP, never as HTTPS.
I drew a picture to explain my point further:
You can make a helper function to get intended url from session as
function intendedUrl($default = null)
{
$default = $default ?: route('pages.home');//default route
return session()->pull('url.intended', $default);
}
I have on my project route groups for 4 subdomains, on one subdomain I set 'middleware' => 'auth', it works, but if guest try to access this protected subdomain he is redirected to sub.project.com/login and not to project.com/login, where can I set it correctly?
You can try to handle the redirect within the middleware
public function handle($request, Closure $next, $guard = null)
{
if ($request->getPort() != 80 || Auth::guard($guard)->guest()) {
//to account for json or ajax requests
if ($request->ajax() || $request->wantsJson())
{
return response('Unauthorized.', 401);
}
return redirect('auth/login')->withErrors(['must login']);
}
return $next($request);
}
By default it shouldn't be a problem. On by default I mean, you had to explicitly tell Laravel where to redirect, if you didn't do so (didn't alter middleware logic in any way), there are 3 things that come in play:
Your .htaccess (or httpd.conf) is messed up.
Certificate issues. Do you have SSL enabled on the login page? If the website config file points to a cert issued for not the same domain, it causes such problems.
config/app.php includes the wrong domain
(It's a stupid question on my part, but could you please confirm that it redirects to and not renders the content available on that subdomain? To exclude some possibilities.)