Laravel Redirect All Requests To HTTPS
Our entire site is to be served over https. I have 'https' in each route. However, how do I redirect them to https if they attempt it over http?
Route::group(array('https'), function()
{
// all of our routes
}
Using App::before
You might be able to take advantage of the App::before() block in the app/filters.php file.
Change the block to include a simple check to see if the current request is secure, and if not, redirect it.
App::before(function($request)
{
if( ! Request::secure())
{
return Redirect::secure(Request::path());
}
});
Using Filters
Another option might be to create a filter like so. People generally store this also in app/filters.php.
Route::filter('force.ssl', function()
{
if( ! Request::secure())
{
return Redirect::secure(Request::path());
}
});
You can then enforce that new filter to any of your routes, route groups, or controllers like this.
Individual Route
Route::get('something', ['before' => 'force.ssl'], function()
{
return "This will be forced SSL";
});
Route Group
Route::group(['before' => 'force.ssl'], function()
{
// Routes here.
});
Controller
You'll need to do this in your controller's __construct() method.
public function __construct()
{
$this->beforeFilter('force.ssl');
}
Another answer might be to let your web server handle this. If you are using Apache, you can use the RedirectSSL feature to make sure all requests are going to the HTTPS version of your site, and if not redirect them. This will happen before Laravel even get's the request.
Apache RedirectSSL
If you're on NGINX, you can accomplish this by having two server blocks. One for normal HTTPS on port 80, and another for HTTPS on port 443. Then configure the normal server block to always redirect to ssl version.
server {
listen 80;
server_name mydomain.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
server_name mydomain.com;
ssl on;
# other server config stuff here.
}
I'd personally go with this option as PHP itself doesn't have to process anything. It's generally cheaper to process a check like this at the web server level.
For users using Laravel 4/5 and Elastic Beanstalk, forcing HTTPS is difficult using these methods because the isSecure() will return false. Further, using .htaccess redirects will result in a redirect loop for Chrome and delayed page load times in Firefox.
This set up is for
- Laravel 5 and may work for Laravel 3 / 4
- Application loaded onto Elastic Beanstalk running EC2 server instances
- Route 53 used for DNS resolution
- Cloudfront used for global CDN of all assets and enforcing HTTPS
- I run
awson a Windows machine. Linux may vary slightly?
After hours of my own attempts, I managed to get all HTTP requests forwarded to HTTPS using the following steps:
Obtain an SSL certificate. Guides and providers are numerous and can be found via a Google search.
-
Upload the certificate to AWS using the
awsconsole command. The command structure is:aws iam upload-server-certificate --server-certificate-name CERTIFICATE_NAME --certificate-body "file://PATH_TO_CERTIFICATE.crt" --private-key "file://YOUR_PRIVATE_KEY.pem" --certificate-chain "file://YOUR_CERTIFICATE_CHAIN.ca-bundle" --path /cloudfront/ Create an Elastic Beanstalk application. Proceed through the setup process. Once the application is setup, go to Configuration -> Network Tier -> Load Balancing and click the gear icon.
Select Secure listener port as 443. Select Protocol as HTTPS. Select the
CERTIFICATE_NAMEfrom step 2 for SSL certificate ID. Save the configuration.Go to your Console. Click EC2 Instances. Click Load Balancers. Click through the load balancers. Click Instances and scroll down to see the EC2 instances assigned to that load balancer. If the EC2 instance has the same name as your Application URL (or something close), take note of the DNS Name for the load balancer. It should be in the format
awseb-e-...Go back to your Console. Click CloudFront. Click Create Distribution. Select a Web distribution.
Set up the distribution. Set your Origin Domain Name to the load balancer DNS name you found in step 5. Set the Viewer Protocol Policy to Redirect HTTP to HTTPS. Set Forward Query Strings to Yes. Set Alternate Domain Names (CNAMEs) to the URL(s) you want to use for your application. Set SSL Certificate to the
CERTIFICATE_NAMEyou uploaded in step 2. Create your distribution.Click on your distribution name in CloudFront. Click Origins, select your origin, and click Edit. Ensure your Origin Protocol Policy is Match Viewer. Go back. Click Behaviors, select your origin, and click Edit. Change Forward Headers to Whitelist and add Host. Save.
Go to your Console. Click Route 53. Click Hosted Zones. Click Create Hosted Zone. Set up your domain name. Once set up, click Create Record Set. Enter your A record. Select Alias as Yes. Your Alias Target is your CloudFront distribution. Save the record.
Set up your nameservers for your domain to point to the Route 53 nameservers. Wait for everything to propagate, which could be a few hours. Go to your URL. You will be automatically redirected to HTTPS.
-
"But wait, my links don't go to HTTPS!?" You need to handle the
X-Forwarded-Protoheader that CloudFront will pass. For Laravel 4, follow this guide. For Laravel 5, run this:php artisan make:middleware EB_SSL_Trust
And then add this to the EB_SSL_Trust file:
public function handle($request, Closure $next)
{
$request->setTrustedProxies( [ $request->getClientIp() ] );
return $next($request);
}
And add this to your App\Http\Kernel.php file:
protected $middleware = [
...
'App\Http\Middleware\EB_SSL_Trust',
...
];
Note: All your assets, such as CSS, JS or images, need to be sent over HTTPS. If you use Laravel to create these links, use secure_asset() to create the HTTPS URL in your View.
The use of filters has been deprecated in Laravel 5.1.*. This is a perfect job for a MiddleWare.
Create a Middleware and in the handle section put
public function handle($request, Closure $next)
{
if(! $request->secure()) {
return redirect()->secure($request->path());
}
return $next($request);
}
Then simply register your middleware in your Kernel.php and use it with your routes or controllers.