HowTo - Force HTTPS
Edit on GitHubThe following article describes how you can force to use HTTPS in your pages.
If your servers are behind a load balancer and the load balancer is doing the redirects from HTTP to HTTPS, you don’t need to further configure the application.
Perform the following steps to configure the application to use HTTPS.
1. Force HTTPS for all pages
To force HTTPS on all pages, you have to set $config[ApplicationConstants::(YVES|ZED)_SSL_ENABLED]
to true
. The application will then always force HTTPS on all pages.
Configuration
<?php
use Spryker\Shared\Application\ApplicationConstants;
// Zed
$config[ApplicationConstants::ZED_SSL_ENABLED] = true;
// Yves
$config[ApplicationConstants::YVES_SSL_ENABLED] = true;
Before a controller is resolved, the application checks if the request is secure and that the requested resource is not excluded from HTTPS.
If the request is not secure and not excluded from HTTPS, the application will return a redirect response if the page was requested with HTTP.
If the request is secure and the page is excluded from HTTPS, the application will allow requests with HTTP.
2. Allow pages to use HTTP
You can also allow some of your pages not to use HTTPS. If you want to allow some pages to use HTTP you can add them to $config[ApplicationConstants::(YVES|ZED)_SSL_EXCLUDED]
and only set $config[ApplicationConstants::(YVES|ZED)_SSL_ENABLED]
to true
. The
key in this array is the route name and the value is the URL.
Configuration
<?php
use Spryker\Shared\Application\ApplicationConstants;
// Zed
$config[ApplicationConstants::ZED_SSL_ENABLED] = true;
$config[ApplicationConstants::ZED_SSL_EXCLUDED] = [
'route-name' => '/url'
];
// Yves
$config[ApplicationConstants::YVES_SSL_ENABLED] = true;
$config[ApplicationConstants::YVES_SSL_EXCLUDED] = [
'route-name' => '/url'
];
When is a request secure?
There are two options that identify if a request is secure or not.
- When the value of
$request->server->get('REMOTE_ADDR')
is found in the configured trusted proxies and the value of$request->header->get('X_FORWARDED_PROTO')
is HTTPS. - When the value of
$request->server->get('HTTPS')
is HTTPS.
The checks for a secure request is made in this order.
Trusted proxy configuration
Trusted proxy configuration
Both applications have a configuration for trusted proxies. To use trusted proxies, configure $config[ApplicationConstants::(YVES|ZED)_TRUSTED_PROXIES]
.
Configuration
<?php
use Spryker\Shared\Application\ApplicationConstants;
// Zed
$config[ApplicationConstants::ZED_TRUSTED_PROXIES] = [
// the IP address (or range) of your proxy
'192.0.0.1',
'10.0.0.0/8',
];
// Yves
$config[ApplicationConstants::YVES_TRUSTED_PROXIES] = [
// the IP address (or range) of your proxy
'192.0.0.1',
'10.0.0.0/8',
];
As described above, the application checks if the value of $request->server->get('REMOTE_ADDR')
can be found in your configured trusted proxies. If so, the current request is marked as secure when the value of $request->header->get('X_FORWARDED_PROTO')
is HTTPS.
Thank you!
For submitting the form