SSL forcing

When I create a URL like this


$url = Url::to(['/download', 'hash' => 666], true);

it creates something like http://xxxx:443/download


$url = Url::to(['/download', 'hash' => 666], 'https');

it creates something like https://xxxx:443/download

I wonder how can I force the https globally as in setting the default schema

and how to remove the 443 port from the url

Any suggestions ?

I found the problem… but not yet a solution

I am running nginx and have a reverse proxy that terminates the ssl

So the yii is actually running on a http port internally

So what would be the easiest way to force globally the urls to be https and without the 443 port

It might not be the best solution but it works:

place this in the beginning of the frontend and backend web index.php


// Force SSL when behind an SSL proxy

// this ensures that internally generated absolute urls also are ssl

if ("https"== strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']))

{    

    $_SERVER['SERVER_PORT'] = 443;

    $_SERVER['HTTPS'] = 'on';

    if(isset($_SERVER['HTTP_X_REAL_IP'])) $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];

    $_SERVER['HTTP_HOST'] = str_replace(':443','',$_SERVER['HTTP_HOST'] );

}

I would recommend you make use of filters also known as middlwares, here is yii extension which provides an https filter as well other helpers to aid with https

Apparently this was another problem and my solution was just a bandaid… my proxy was actually adding the port… .removed it from my proxy

Unless you need an SSL certificate from a specific CA or business reasons, try LetsEncrypt.org. I was able to setup mandatory HTTPS with nginx in a few simple steps with absolutely no changes to the Yii code. Plus, it’s free. :slight_smile:

Regards,

Yes I do use ssl for the proxy, then there it is terminated and internally redirected to the docker container running yii.

That all works fine

UPDATE:

Even though I removed the forwarding port from the proxy I still had to add this code to make the app play nice when other plugins create a secure link and check the isSecureConnection. Otherwise I get mixed content and that breaks security rulings