Laravel serving assets insecurely with AWS

Question

With my new project, when I deploy my app to my https:// domain, every {{ asset() }} and every {{ route() }} is being served over http (which causes "mixed content" security issues in browsers).

I'm using AWS with a load-balanced Elastic Beanstalk application.

I've tried ensuring APP_URL is correctly set to https, and I understand I can use secure_asset or forceScheme, however I didn't have to do this with my previous project and I want to understand why.

How can I see where Laravel is making a decision about protocol? I want to get to the root of the problem rather than plaster over it.

Is your SSL cert being implemented by a AWS load balancer? If so, Laravel includes the Fideloper/TrustedProxies package to handle this. You need to publish the config and set the proxies to * as the load balancer forwarding IP can vary. — Rob Fonseca, Jul 05 '18 at 10:28
@RobFonseca Yes, I've just discovered this. You are absolutely right — Chuck Le Butt, Jul 05 '18 at 11:02

Chuck Le Butt · Accepted Answer · 2019-03-14T19:32:31.453

19

This is an easy gotcha. If you're using AWS you need to change your config. It's very simple and, as usual, Laravel's documentation has the solution. You can read more here:

https://laravel.com/docs/5.6/requests#configuring-trusted-proxies

All I had to do (as an AWS Elastic Beanstalk user) was edit app/Http/Middleware/TrustProxies.php:

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array
     */
    protected $proxies = '*';

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_AWS_ELB;
}

Now everything is fine. Easy to miss when setting up a new project.

edited Mar 14 '19 at 19:32

answered Jul 05 '18 at 14:44

Chuck Le Butt

47,570
62
203
289

2

Thanks for the tip about trust proxy. I use https://github.com/fideloper/TrustedProxy and it works perfectly. – shalonteoh Nov 23 '18 at 01:38
@shalonteoh Not sure what you mean. Laravel comes with TrustedProxy bundled already. That's what the above code refers to – Chuck Le Butt Nov 23 '18 at 10:45

score 0 · Answer 2 · answered Jul 05 '18 at 09:14

0

I believe secure_asset is what you're looking for.
Here an example:

<link href="{{ secure_asset('assets/mdi/css/materialdesignicons.min.css') }}" media="all" rel="stylesheet" type="text/css" />

Update:

A better solution to do it right (tested in laravel 5.4):

<?php

namespace App\Providers;

use Illuminate\Support\ServiceProvider;

class AppServiceProvider extends ServiceProvider
{
/**
 * Bootstrap any application services.
 *
 * @return void
 */
public function boot()
{
    if(env('APP_ENV') == 'production') {
        \URL::forceScheme('https');
    }
}

/**
 * Register any application services.
 *
 * @return void
 */
public function register()
{
    //
}
}

answered Jul 05 '18 at 09:14

Gothiquo

841
1
8
31

I understand I can use `secure_asset` or `forceScheme`, however I didn't have to do this with my previous project and I want to understand why. – Chuck Le Butt Jul 05 '18 at 09:17
which version of laravel are using now and which version did you use before ? – Gothiquo Jul 05 '18 at 09:19
Previous: 5.5. Current: 5.6. – Chuck Le Butt Jul 05 '18 at 09:22
I think that the path is generated with the help of your URL-setting. Try checking your .env file. Maybe you have defined your URL as something like URL=http://yoursite.com? – Gothiquo Jul 05 '18 at 09:28

Laravel serving assets insecurely with AWS

2 Answers2

Update: