Support the ongoing development of Laravel.io →
robintheb
posted 11 years ago
Configuration Security Requests

I have a questions about https requests:

The example in the official Laravel4 docs doesn't work in my app:

Route::get('foo', array('https', function()
{
    return 'Must be over HTTPS';
}));

The above returns a 404 when I visit https:://.../foo

However, the next route does work:

Route::get('foo',  array('https' => true, function()
{
    return 'Must be over HTTPS';
}));

But here's the strange thing: when I execute URL::route('foo') with the first example it returns https://.../foo, but the second example simply returns http://.../foo

So the first example doesn't recognize https-requests, but adds "https" to URL::route('foo'). The second example recognizes https-requests, but doesn't add "https" to URL::route('foo').

I can only find very little information about this topic. Does anybody know the difference or why the first example doesn't work? I use PHP5.4, Laravel 4.1 and nginx.

Last updated 3 years ago.
0
robintheb
replied 11 years ago
Solution

I found the solution myself. The problem was that Laravel was unaware whether the request was secure or not because nginx didn't pass the HTTPS parameter.

For those who wonder, you can add it with this line in the nginx config:

fastcgi_param  HTTPS on;

In that case the first example works. The second example worked partly because of the poor implementation of in_array(). The next function, located in Illuminate/Routing/Route.php returns true even if a key name of the array is "https".

public function httpOnly()
{
        return in_array('http', $this->action);
}

A better function would be to add true to make it strict and more correct.

public function httpOnly()
{
        return in_array('http', $this->action, true);
}
Last updated 3 years ago.
0
mrtimp
replied 11 years ago

For what its worth. I had this same issue earlier today when using Jasons new Dingo API. In my development environment I was using Apache 2.2.15 (CentOS back port) and have disabled HTTP (i.e. only running HTTPS).

A basic default route wouldn't work due to me making my API call over HTTPS and Illuminate\Routing\Matching\SchemeValidator presuming I should only be making such call over HTTP.

I'm not sure if this is a Laravel issue or an issue with Dingo so will open a GitHub issue with Dingo and see how we get on.

Last updated 3 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

RobinTheb robintheb Joined 21 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX
Litslink

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise