How can I have Laravel return a secure at all times with the url() helper function?
I know that I can url('foo', [], true), where the 3rd argument will set it to secure, but because I'm going to use SSL everywhere I don't want to have to specify it each time.
Furthermore, I don't have self-signed certificate locally. I want url() to give an http:// string locally, but https:// on production. Perhaps something I can configure in .env?
I've tried setting up TrustedProxy but it didn't make a difference. How can I go about this?
I'm not asking how to redirect http to https. That adds an extra jump between clicking a link and loading a page. I want url() to always give me https links when on production.
Related
I searched for my issue in so many ways, but I don't seem to find the correct case, so I'm asking here.
I have a Laravel app which is installed on a server and everything works correct. The domain is set as HTTP only and is configured from AWS. However we need to have another domain which should work only from HTTPS. The HTTP domain is pointing to the server instance and the HTTPS one is pointing to a CloudFront distribution with origin the HTTP domain. The issue is that when I open the HTTPS domain, all of the links and images are loaded from the HTTP domain.
To be more concrete, let's say I have http://mysite-notsecure.example.com and https://mysite-secure.example.com.
When I open http://mysite-notsecure.example.com everything works as it should and there are no issues. However when I open https://mysite-secure.example.com the site loads, also files like app.js and app.css load with the correct host, but things like fonts, images, links, etc, load from http://mysite-notsecure.example.com.
Because most of the urls are built with the url() function, I think the issue has something to do with APP_URL, which was first set to http://mysite-notsecure.example.com, but when I added the new domain, I set it to empty (APP_URL=),
however the urls are still built the same way (I cleared config cache).
What should I do in order for my site to build the urls according to the current host?
I don't need any other change for the two domains. They should load everything exactly the same, only the host should remain and not redirect to the other domain.
It turned out there were two different issues.
I'll describe them here, because there is a slight chance someone could be dealing with one of them.
First, I printed the contents of the $_SERVER variable on both domains and the host in both was the same - the HTTP domain.
This issue was from the CloudFront configuration. Turned out the Host header was removed from the CF distribution behavior, so that CF replaced it with the origin's value (the origin is the http domain). After this was fixed, the host in $_SERVER appeared correctly.
But the initial issue for the urls building was something else which I didn't think of. After clearing the cache to remove the debugging and seeing the right urls on the HTTPS domain, I switched back to the HTTP one and saw now there all the urls pointed to the HTTPS domain. That is when it hit me that these domains share not only the configuration, but also the cache. And most of my urls on the page I was testing with, were coming from a function with cache, so when the cache was stored from one of the domains, they appeared the same on the other. When I included the host in the cache key, everything worked correctly.
Hope this helps someone else.
goto file .env and setup the APP_URL=https://mysite-secure.example.com/ and change
href={{asset('folder-path')}} in layout or blades file
Im not sure if my question is valid, I have a laravel app, by default I can access it using http protocol,
but due to security reasons, I was instructed to use https instead,
So I was planning to configure my apache and use the default-ssl.conf,
but before I do that, I want to know if changing it to https will it affect my routes?
No, it will not affect your routes.
To make all helpers like route(), url(), action() etc generate HTTPS links change http to https in the .env file:
APP_URL=https://some.app
It MAY affect your routes !
If you are using cloudflare for your ssl certificate, Laravel will not recognise it as a secure url, You will have to specify in your code that you want a secure url
for example for your assets, you may have to use
secure_asset('img/photo.jpg')
Normal SSH and Cpanel
If you are using normal ssh provided by server providers then do not worry,
You just need to change in your environment file.
which is placed in project_root/.env where you can change your APP_URL from http:// to https://
Also you can directly change in config/app.php in 'url' parameter.
cloudflare
Answer of Mathieu Ferre is correct
if you want to use mixed routes in your application you can use some laravel built-in helper methods.
use secure_asset() and url('url',params, true) the last param in url() is for securing route.
EDIT 1
there is also another function secure_url for securing url. If your application is using mixed routes.
Hope this helps.
Thanks
I've got a Laravel app that's hosted on Heroku, currently in staging environment that's password protected. It's accessible via https:// but axios is making requests to http:// and causing a cors error... I've tried adding allow origin headers as middleware on the routes but that doesn't fix the error.
Is there a way to force axios to use https by default? I don't want to pass the full URL to the axios.get()
This doesn't happen on local so could it be something caused by Heroku?
There is a Pull Request on the way that will try to access http/s if the other protocol fails. So it's a matter of time now.
I think the issue is actually related to Heroku but I can't be certain.
The only thing that tells me this is that I moved to an EC2 instance via Laravel Forge and I don't have any problems.
Strangely I also had a couple of files that were being requested without www. And when viewing in browser it forced the css files to the naked domain. What's weird though is other css files loaded with www. And weren't redirected so I think it could also have been a permissions thing.
I solved the file issue by simply changing the file name and the redirect stopped so maybe an overzealous redirect. Either way it was annoying and I think I tried everything so hopefully that information helps somebody else in future.
Cheers
I'm developing an application that will eventually need to be fully HTTPS but I'm temporarily developing locally on HTTP.
If I use URL::to_asset('path', false) locally then I'd have to go and change every instance of that to true when I switch to HTTPS.
At the moment I'm thinking a Config::get('app.https', true) as the second argument would be the easiest way around this but I was wondering whether there's a more system-wide approach for ensuring your assets follow the routes (for example if I had an application that had partial usage of HTTPS routes it would be nice if Laravel automatically worked out whether you're on a HTTPS route and returned the correct asset link).
Or is it possible to get assets to use the "//domain.tld/path/to/something" approach
instead of manually setting it through configs you could use Request::secure() to check, if the request is done over HTTPS.
reference: laravel request information
Set HTTPS 'on' or 'off' in your web server's environment. That should propagate to Laravel, and result in http: or https: URL generation.
It may be worth adding that we run our Laravel apps on Elastic Beanstalk. EB terminates SSL at the Load Balancer, so Laravel "thinks" it's HTTP, when it's not. We use redirects to ensure all traffic is HTTPS from the outside, and set HTTPS=ON in the EB Dashboard settings so that assets aren't subject to redirects.
Tested on Laravel 5x, you can do like this:
asset('path_to_file', \App::environment() == 'production')
If you're in production, it will return true and load the asset via https, while returning false in development, loading via http.
If you are using Laravel 5.3 you can just use the Laravel asset() helper function. It loads assets using the current scheme of the request (HTTP or HTTPS)
You can find more details here
Even when I am on HTTPS, Magento's getProductUrl() always seem to return an HTTP URL. Any ways I can make this auto-switch to HTTPS? (or have it return relative protocol url).
I would say it's a rather 'standard' configuration.
Base URL is http://example.com/
Secure URL is https://example.com/
Use Secure URLs in Frontend is No
Base Link URL is {{unsecure_base_url}}
I am aware I could change the above to {{secure_base_url}} however I do not want to force a change from HTTP to HTTPS, I only need it to stay relative.
The main Magento's benefit, is that you can do anything you want with it :) So, yes, you can output HTTPS product urls or relative ones. However, before choosing a solution, let's consider the Magento authors' vision.
The HTTPS for frontend is designed to work only for specific areas like Customer account, Payment methods, Checkout, etc. There is nothing so private about products, which makes it necessary to be viewed via HTTPS as well.
By default Magento doesn't use HTTPS even for pages, mentioned above. In order to turn HTTPS on, the "Use Secure URLs in Frontend" option must be set to "Yes". Which, as described, will engage HTTPS only in limited set of pages that contain some private data.
So the best solution for you depends on specifics of the store, you are developing.
1) If you want to engage HTTPS for all the pages on frontend - then the best solution is to put "https://..." into "Base URL" option for "Unsecure" web url configuration.
2) If you want to turn on HTTPS only for product links and only for a limited number of pages, then you can override templates of that pages in order to put there relative urls. The actual code can be implemented in any way you like, even the simplest already proposed way is ok:
echo trim($_product->getProductUrl(),'http:')
3) If you want to engage HTTPS for all the product links at frontend - then the best way is to override Mage_Catalog_Module_Product_Url model and change method getUrl() - you need to put there
$routeParams['_secure'] = true;
This will produce all the product urls with HTTPS protocol.
4) If you need to show HTTP product links only at HTTP pages and HTTPS product links only at HTTPS pages, then you can use method 3) with a more sophisticated logic: check the protocol of current page before setting '_secure' parameter.
Hope, it helps.
I just did it the primitive way, sometimes it works best:
echo trim($_product->getProductUrl(),'http:')
Instead
$product->getProductUrl()
Try
$product->getUrlModel()->getUrl($product, array('_secure'=>(bool)Mage::app()->getStore()->isCurrentlySecure()))
This gives you a secure/unsecured product url based on your current protocol.
THere's an understated but important option in System | Configuration | Web ~ where you have to say "use secure url in frontend" -- if you set this to yes then a page loaded by https will use https links,
no need to write code or provide additional configuration in most cases