How to force SSL?

I have an page that requires https, I have some rules in htaccess that redirect every http to https, but since this website must run inside facebook canvas I can’t have any redirect every link must be pure https.

Some of website content required login but every time the users try to access a page that requires login the users is redirect to, and not to My htaccess redirect then to https, but the problem is that on facebook this is action is blocked.

I need that the call for the login action be done using https.

As mentioned here

// creates an absolute URL using the https scheme:

echo Url::to(['post/index'], 'https');

Yes I now it but for example in a controller with an accessControl set to only registered users the login url is created automatically. How to define it to use https instead of http?

It’s better to use HTTPS for the whole website if you can do it for one page. Check how it can be done via your webserver config.

You can set this param

But samdark is right, it’s better to keep whole site HTTPS.

And I can I do that? I’m using VestaCP is a panel with Apache and Nginx as reverse proxy. I added fastcgi_param HTTPS on; to snginx.conf but the problem keeps appearing

location / {

        fastcgi_param HTTPS on;


        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mp4|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {

            root           /home/admin/web/;

            access_log     /var/log/httpd/domains/ combined;

            access_log     /var/log/httpd/domains/ bytes;

            expires        max;

            try_files      $uri @fallback;



This is a good idea but seams that the only way to set https in it is to passing an absolute url in $loginUrl or there are another way.

Below I added an picture of the requests ad you see my htaccess already to the redirect to httpd, but i need that this redirect never occurs the first call must be https, because without this the website will be blocked inside facebook canvas.


http redirect https.png

After initial redirect to https every following Yii redirect should stick to the same protocol if not directly specified to change it afaik. Isn’t this the case?

No this is exactly my problem, as you can see in the attached image that I put in my previous post the first request is made in https then since this controller required a registered user is is redirected to then when this request hits the htaccess is redirected back to https but in facebook canvas the website is blocked before this second redirect occurs.

Yes, but this is the thing - aren’t you at before the redirect is forced?

Yes I’m on https then the if I try to access an action that requires login it sends me to http.

I do some debug and I think I found one problem. For example in any controller if I add something like this:


This redirect always remove the https and use only http. Probably a redirect like this is used to ask for the login and this may be the cause of this problem.

Problem solved. I discovered that $_SERVER[‘HTTPS’] is never set. And without it Yii don’t know that need to redirect to https. In my case I do a a quick fix adding:


On index.php in frontend/web and backend/web now everything works fine.

Thank you for your help

1 Like