I have recently created a laravel project, and I am facing issues with it since I am trying to get it setup with SSL (Cloudflare).
What is the best way to redirect the user to the secured enviroment correctly in laravel 5?
Also, my CSS and JS are not beeing loaded in due to the fact that http is not allowed and my browser blocks the files from beeing loaded because they could be potential harmfull. (Which is not the case though, to be clear)
Can someone get me off the right track?
Redirecting your site users to a secure url (https://) should NOT be the job of the framework. This type of behavior should be handled on the DNS and A record level.
Redirecting from HTTP to HTTPS should be handled by the webserver.
Your assets are probably blocked because they are unencrypted (HTTP) on an encrypted site (HTTPS). You can solve that by using protocol relative URLs:
<script src=”//ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>
Note the // instead of http:// or https://. This will cause your assets to be fetched using the same protocol as the site.
Laravel has a helper function for secure assets: secure_asset()
http://laravel.com/docs/5.1/helpers#method-secure-asset
Related
Question: Customer's of few web projects from scratch (which already completed and launched) want to use HTTPS. Server side guys will install SSL Cert.
Apart from the redirection from HTTP, Do the programmer need to do any changes in programming or forms or database?
Do the programmer need to use any type of data encryption or any parameters during the form submit while using https?
Type of projects migrating from http to https
eCommerce
Vehicle Rental Management
Project Specs
Responsive
PHP, HTML, CSS
MySQL
Jquery
PayPal
References find in SO
https://stackoverflow.com/questions/16200501/http-to-https-apache-redirection
https://stackoverflow.com/questions/2559620/conversion-http-to-https
https://stackoverflow.com/questions/10489895/http-to-https-through-htaccess
But from the above never find an answer to my question.
What you need to change in the webpages:
Scripts (js) and Iframes must be loaded directly from https (whitout redirect): scripts uri must be relative or start with "https://". If not, scripts and iframes will not load
Forms must have an https target to avoid security confirmation
Images and css must be loaded directly from https to avoid loosing the https indicator
More information: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
See also: HSTS, CSP upgrade-insecure-requests
Do the programmer need to use any type of data encryption or any parameters during the form submit while using https?
HTTPS takes care of everything. It encrypt urls (Note: the domain name is not encrypted), POST and GET data. (It's a best practice to avoid sending confidential data using GET, because they may be logged in various unsecure places)
The best for a migration is to migrate all webpages. Having to maintain http=>https redirects for some and https=>http redirect is complicated, error prone and insecure.
I have a application made on laravel 5.2.
It was running fine on HTTP.
I used asset function to generate full url instead of using relative one's like
<link rel="stylesheet" type="text/css" href="{{ asset('/css/bootstrap.min.css') }}">
According to laravel documentation here, the asset method automatically detects the request protocol and generates URL accordingly.
Now the application is not running on HTTPS,
I can use secure_asset for HTTPS URLs, but then it will stop running on HTTP and localhost.
I know there is something I'm missing and it can't be so hard to just migrate from HTTP to HTTPS using laravel
PS - Cloudflare is being used for serving HTTPS requests.
All answers given till now are correct but none solved my problem.
The main problem was my application was behind CloudFlare
Laravel detects a Request as secure or insecure by checking a HTTP header i.e. $_SERVER['REQUEST_SCHEME'] which remains HTTP even the Request is HTTPS due to cloudflare.
CloudFlare sets a different header for the same i.e. $_SERVER['HTTP_X_FORWARDED_PROTO'] Which must be checked to detect a request is secure or not
Following this article and making some changes to this I successfully managed to generate HTTPS URL without making any changes to previous application code.
Accessing The Request
To obtain an instance of the current HTTP request via dependency injection, you should type-hint the Illuminate\Http\Request class on your controller constructor or method
https://laravel.com/docs/5.2/requests#request-information
instead of manually setting it through configs you could use Request::secure() to check, if the request is done over HTTPS
According laravel source, asset will generate protocol based on request info if you don't explicitly hint it to use http/https. So, you should not change anything here. That will switch to https once you start requesting it via secure connection.
I have a site running WordPress on Apache server and I am attempting to provide both HTTP and HTTPS connections via the same site. I want to allow connections over HTTP without forcing a redirect to HTTPS, unless the client is connecting initially via HTTPS then I want all subsequent HTTP requests to be forwarded to HTTPS to avoid issues with CORS and unsecured content warnings.
I am having some trouble turning up results on how to effectively do this with mod_rewrite alone. Most solutions I find try to force the connections to redirect to HTTPS regardless and will not allow an HTTP connection or vice versa. I have tried a few mod rewrite conditions including making use of the referer string but none seem to work thus far. I must be missing something because I feel that this is indeed possible but I and my search engines alone are stumped.
Maybe I'm just doing something wrong or is this kind of functionality beyond Mod_Rewrite?
I was thinking to use a PHP script but was worried it wouldn't work for some static files since WordPress doesn't handle those requests.
Update:
I have made a php script to detect the version. It sets a cookie which expires in 20 seconds from being set, this is read by Mod_Rewrite and if set it redirects the URLs to HTTPS. This works for most of the subsequent requests of an initial HTTPS request. A few URLs seem to be unaffected by it, not sure exactly why as the cookie hasn't expired by the time of these file requests and the particular rules are before the static file bypass rules in the htaccess file. At any rate that was easy enough to fix by setting the file urls to protocol-less versions.
Some third party sites need domains rewritten though, as they serve https from other domains. On that note I don't think this is actually possible without buffering the whole page and actually re-writing the URLs.
It is possible to detect the initial connection but this must be done using Server Side code, like a PHP script. Then using the detection can be done at Mod_Rewrite level.
Add in the WordPress constraint and things get complicated.
WordPress isn't built to facilitate one install with both protocols allowing access to content. So to accomplish this would require a custom plugin using the detection mentioned earlier, and instead of using Mod_Rewrite to direct requests on the server, we have to buffer WordPress output and logically replace/rewrite URLs in the page before they go to the user if and only if the initial connection for the page is in SSL.
There is only one plugin I have found which does something similar to this, however it doesn't do dynamic detection only gives admin/editors a checkbox option to make a page SSL secured. The plugin is called WordPress HTTPS
Dynamic detection and redirection isn't something SSL was meant for anyways, it's either on or off, and most pages need it that way.
I was originally trying to provide both so I could use a self-signed certificate without worrying that users would get the "warning unsecured connection" messages from their browsers by forcing them to use only SSL connections.
So I'll be purchasing a cert or making a custom plugin.
tkausl is right, you don't really need to do mod_rewrite. You should be able to format links without the protocol and it will automagically select for you.
You can see that google does this with their hosted libraries:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
*Note the lack of http: or https: this will follow the protocol requested by the user.
I have developed a mvc site from scratch and locally it works, but what a surprise ! Trying the site uploaded to my hosting it doesn't work.
The login sequence is the following:
Every page checks if you are loged (http) and redirect to login page (https) if you don't.
Always you will be redirected to login page.
After some research, I have discovered the reason: php session is lost between https and http.
I don't understand why works locally and remotely not, but I think due php local settings set php sesssion identifier as PHPESSID for http & https and remote settings not.
Thinking about the trouble, I understand I can fix the issue passing the session identifier from https to http or making the whole site https rewriting the urls as follow:
intranet.mysite.com/anypage/
Hosting shared ssl
https://server.subdomain/~user/public_html/intranet/anypage/
Additional information
the page is hosted under hostgator. The url paths are
site
intranet.mydomain.com
ssl shared access
https://gatorxxx.hostgator.com/~user/intranet
how I can make session works between urls ?
thanks.
If I understand correctly you host the SSL page on a different domain? The PHP session cookie is lost then, because the cookie is bound by subdomain (or domain, whichever the cookiedomain is set to).
I'm not an expert and don't want to make a mistake, so please forgive me if the answer is obvious (better safe than sorry).
I finished a Flex app using FB4.5 and uploaded and tested it fine to a shared host. I'm now in the process of securing the app using https, but have landed in a quagmire.
First:
I forced the load of all pages to https with .htaccess so that the Flex app loads with SSL. Problem is that I get a connection failed ('BadVersion') when the app makes a data service call using the gateway.php file because of the .htaccess force (it is looking for http rather than https). I believe I can hardcode the https path in the Flash Builder class file, but I don't want prevent the app from working on my dev machine either. Any thoughts here?
Also, even if the gateway.php file is called using SSL, will the following calls to the PHP files containing the actual SQL queries fail because of the forced SSL by the .htaccess directives.
Second:
Instead of using .htaccess, I have also successfully used PHP to secure the initial launch of the app with a https redirect statement in the beginning. This allows the app to work, calling the gateway.php file fine because it isn't forcing https on everything. BUT, this defeats the purpose of trying to get everything to be encrypted.
Third:
Is is it necessary to have the gateway.php file launched on SSL because of transmitting in binary AMF?
Thoughts? Explanations? Things I'm missing. Suggestions?
Thanks in advance.
If your AMF calls are going over HTTPS, then you need to use a SecureAMFChannel rather than a vanilla AMFChannel.
Typcially this is configured either in the client, where you have declared your RemoteObject or ChannelSet, or in the services-config.xml file.
Most likely, this mismatch is what's causing the BadVersion error you're getting.