How can you force a request in October CMS to be served over HTTPS? The usual methods used in Laravel such as adding the code below to the filters.php file don't seem to work.

Route::filter('force.ssl', function() {
    if (!Request::secure()) {
        return Redirect::secure(Request::getRequestUri());
    }
});

Last updated 10 years ago

You can force ssl with nginx/apache. Doing that, frontend pages work fine but backend doesn't seem to work.

I tried (from: http://stackoverflow.com/questions/19967788/laravel-redirect-all-requests-to-https) :

App::before(function($request)
{
    if( ! Request::secure())
    {
        return Redirect::secure(Request::path());
    }
});

and got a redirect loop. Backend pages seem to redirect to non-ssl... not sure how to fix this.

EDIT: The redirect loop might be because I'm behind a proxy (its a laravel thing, not october thign). See: http://octobercms.com/forum/post/routing-over-ssl?page=1#post-3173

Last updated 10 years ago

oh, see this: http://octobercms.com/forum/post/routing-over-ssl (only useful for frontend though).

Thanks that0n3guy. I will check out your links and report back on what I find.

Ok... got everything to work just fine, here is what I did.

I edited my app/filters.php and added to my App::before:

App::before(function($request)
{
    if( ! Request::secure() && getenv('CMS_ENV') == 'production')
    {
        return Redirect::secure(Request::path());
    }
});

This basically redirects all to https.

If you just want backend... you would need to modify it. If you just want frontend... something like the following to your CMS layout would work:

function onStart()
{
    if( ! Request::secure() && getenv('CMS_ENV') == 'production')
    {
        return Redirect::secure(Request::path());
    }
}

BIG Note, if you are behind a proxy...

If you are behind a proxy, you need something like: https://github.com/fideloper/TrustedProxy You need to put in all your proxy IP addresses in the config for this package.

I wasn't using this so I was getting a redirect loop. After using that, all is good.

Last updated 10 years ago

Good work that0n3guy, this does work. I made one change as shown below because I do not use CMS_ENV. I check $_SERVER['HTTP_HOST'] in bootstrap/start.php and set app()->env to either "local", "development", or "production" depending on the value.

 App::before(function ($request) {
     if (!Request::secure() && app()->env == 'production')
     {
         return Redirect::secure(Request::path());
     }
 });

Thanks that0n3guy, I tried what you mentioned:

App::before(function($request)
{
    if( ! Request::secure() && getenv('CMS_ENV') == 'production')
    {
        return Redirect::secure(Request::path());
    }
});

and it fixed it on the front-end, just doesn't work for the backend. It doesn't add https:// to any of the example.com/modules/backend/ CSS or JS - If I read what you said correctly, this would work for the backend as well, but it doesn't seem to be?

Thanks!

Last updated 9 years ago

jerry3850 said:

Good work that0n3guy, this does work. I made one change as shown below because I do not use CMS_ENV. I check $_SERVER['HTTP_HOST'] in bootstrap/start.php and set app()->env to either "local", "development", or "production" depending on the value.

App::before(function ($request) {
   if (!Request::secure() && app()->env == 'production')
   {
       return Redirect::secure(Request::path());
   }
});

It appears Filters have been deprecated in Laravel 5.2, and they are switched to middleware. Does anyone know how to get this work with October?

https://laravel.com/docs/master/middleware

NVM, this worked for me: https://octobercms.com/forum/post/octobercms-with-https-ssl?page=1#post-12449

Last updated 8 years ago

Much easier solution (well I guess this is arguable depending on your setup). Check out LetsEncrypt to get free SSL certificates for your site. That of course fixes the whole forcing SSL issue because you can just have a genuine certificate for free. If you're using something like Laravel Forge to host the site, simply go to the site, click "SSL Certificates", click "LetsEncrypt (Beta)", and then "Obtain Certificate". In a matter of a minute you have a free genuine cert.

There's only one catch (well kinda), and that's:

LetsEncrypt certificates expire after 90 days; however, you may easily auto-renew them using Scheduled jobs in Forge. To get started, add the following command as a monthly scheduled job from your Forge server's management console's "Scheduler" tab

So that being said, if you're using something like forge, crazy easy to set up. Unsure of how tough it'd be otherwise.

I literally have all of my testing sub domains and such set up with it, even when throwing up a quick site. Very quick and easy to do.

Ive just setup SSL with letsEncrypt on my Shared server. It took 3 days of struggle to find exact way to do this on remote Linux server and by using local Windows machine. This referance help me resolve it https://www.kosinix.com/install-lets-encrypt-certificate-on-shared-hosting/

https://commaster.net/content/how-setup-lets-encrypt-apache-windows

Last updated 8 years ago

iocare said:

Ive just setup SSL with letsEncrypt on my Shared server. It took 3 days of struggle to find exact way to do this on remote Linux server and by using local Windows machine. This referance help me resolve it https://www.kosinix.com/install-lets-encrypt-certificate-on-shared-hosting/

https://commaster.net/content/how-setup-lets-encrypt-apache-windows

Better option now available by just using CloudFlare. They have recently introduced Origin Certificates for free. It is a 15 year certificate - LetsEncrypt is great, but it is still beta and I had some bad experiences where the server didn't automatically renew the cert after 90 days (you have to renew the cert every 3 months) and my client servers went down without notice.

Highly recommend if you are already using CloudFlare, just use their free Origin Certs and problem solved. Takes 2 minutes to implement (:

Ive created a simple plugin for octobercms to automate let's encrypt certificate. https://octobercms.com/plugin/iocare-letsencrypt

Its in very early stage.

• I've plans to have certificate auto installation
• automatic update and renew every 3 month
• Multi site management etc

Just for reference for everyone. Doing secure links is really easy. There are a couple of settings:

• linkpolicy: https://github.com/octobercms/october/blob/master/config/cms.php#L281
• backendForceSecure: https://github.com/octobercms/october/blob/master/config/cms.php#L52

We don't really mess with backendForceSecure, but setting linkpolicy to "secure" works fine. We just set it to "detect" on developement.