HowTo - Force HTTPS

Edit on GitHub

The following article describes how you can force to use HTTPS in your pages.

Load balancer

If your servers are behind a load balancer and the load balancer is doing the redirects from HTTP to HTTPS, you don’t need to further configure the application.

Perform the following steps to configure the application to use HTTPS.

1. Force HTTPS for all pages

To force HTTPS on all pages, you have to set $config[ApplicationConstants::(YVES|ZED)_SSL_ENABLED] to true. The application will then always force HTTPS on all pages.

Configuration

<?php

use Spryker\Shared\Application\ApplicationConstants;

// Zed
$config[ApplicationConstants::ZED_SSL_ENABLED] = true;

// Yves
$config[ApplicationConstants::YVES_SSL_ENABLED] = true;

Before a controller is resolved, the application checks if the request is secure and that the requested resource is not excluded from HTTPS.

Info

If the request is not secure and not excluded from HTTPS, the application will return a redirect response if the page was requested with HTTP.
If the request is secure and the page is excluded from HTTPS, the application will allow requests with HTTP.

2. Allow pages to use HTTP

You can also allow some of your pages not to use HTTPS. If you want to allow some pages to use HTTP you can add them to $config[ApplicationConstants::(YVES|ZED)_SSL_EXCLUDED] and only set $config[ApplicationConstants::(YVES|ZED)_SSL_ENABLED] to true. The key in this array is the route name and the value is the URL.

Configuration

<?php

use Spryker\Shared\Application\ApplicationConstants;

// Zed
$config[ApplicationConstants::ZED_SSL_ENABLED] = true;
$config[ApplicationConstants::ZED_SSL_EXCLUDED] = [
    'route-name' => '/url'
];

// Yves
$config[ApplicationConstants::YVES_SSL_ENABLED] = true;
$config[ApplicationConstants::YVES_SSL_EXCLUDED] = [
    'route-name' => '/url'
];

When is a request secure?

There are two options that identify if a request is secure or not.

  1. When the value of $request->server->get('REMOTE_ADDR') is found in the configured trusted proxies and the value of $request->header->get('X_FORWARDED_PROTO') is HTTPS.
  2. When the value of $request->server->get('HTTPS') is HTTPS.

The checks for a secure request is made in this order.

Trusted proxy configuration

Trusted proxy configuration

Both applications have a configuration for trusted proxies. To use trusted proxies, configure $config[ApplicationConstants::(YVES|ZED)_TRUSTED_PROXIES].

Configuration

<?php

use Spryker\Shared\Application\ApplicationConstants;

// Zed
$config[ApplicationConstants::ZED_TRUSTED_PROXIES] = [
    // the IP address (or range) of your proxy
    '192.0.0.1',
    '10.0.0.0/8',
];

// Yves
$config[ApplicationConstants::YVES_TRUSTED_PROXIES] = [
    // the IP address (or range) of your proxy
    '192.0.0.1',
    '10.0.0.0/8',
];

As described above, the application checks if the value of $request->server->get('REMOTE_ADDR') can be found in your configured trusted proxies. If so, the current request is marked as secure when the value of $request->header->get('X_FORWARDED_PROTO') is HTTPS.