CodeIgniter Forums

Full Version: http to https
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I know CI4 is not quite production ready and I also know that when on a live site settings should be to "production" however I have a development domain and hosting site and i have time on my hands now, which i might not get later.

I have got the basics of a generic web set up using CI4 at :

(midia is deliberately spelt wrong before someone mentions it )

All the basics are working :
                                            bootstrap4 & breakpoints
                                          contact form to my email
                                        and a light CMS feature and login
                                       a basic captcha

now i now want to try to shift from http to https

On my hosting via cpanel there is a "lets encrypt" functionality.
Now in the docs i did see that in a controller i could use https_force(0 in a controller. Can someone
elaborate on steps to get CI4 to work with https on the basis that I have set up "lets encrypt"
CI 4 are declared stable, and are now on 4.0.2. With lots of development being done behind the scene.

Open up your /public/.htaccess and change Line 26
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

You will also need to change your app.baseURL to https:

I think you are referring to the following in the app/config/App.php. Personally I like to do all redirects on server level, as it will give you best performance. If it can't be done, an option have been provided, with said config.
public $forceGlobalSecureRequests = false;

If you want to add HSTS as CI4 does, you need to add the following to your .htaccess.
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000;"
thanks very much for that ; i can't touch server as its not mine but you have given me options to try which i appreciate.
Changing the .htaccess are what I mean by server level in this regard. Sorry for the confusion.
(03-16-2020, 01:38 PM)jreklund Wrote: [ -> ]Changing the .htaccess are what I mean by server level in this regard. Sorry for the confusion.

 yes think i got it ; the .htaccess in public change:

RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]


RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

however i had a problem on development with htaccess that csme with CI4 ; i'm running slackeware linux and using virtual host. The .htaccess that came with codeigniter didn't work this one is the one i'm using which works on localhost dev and Ci4 that i have live :

# Use the front controller as index file. It serves as a fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# start page (path "/") because otherwise Apache will apply the rewriting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html,
DirectoryIndex index.php

# By default, Apache does not evaluate symbolic links if you did not enable this
# feature in your server configuration. Uncomment the following line if you
# install assets as symlinks or if you experience problems related to symlinks
# when compiling LESS/Sass/CoffeScript assets.
# Options FollowSymlinks

# Disabling MultiViews prevents unwanted negotiation, e.g. "/index" should not resolve
# to the front controller "/index.php" but be rewritten to "/index.php/index".
<IfModule mod_negotiation.c>
    Options -MultiViews

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Determine the RewriteBase automatically and set it as environment variable.
    # If you are using Apache aliases to do mass virtual hosting or installed the
    # project in a subdirectory, the base path will be prepended to allow proper
    # resolution of the index.php file and to redirect to the correct URI. It will
    # work in environments without path prefix as well, providing a safe, one-size
    # fits all solution. But as you do not need it in this case, you can comment
    # the following 2 lines to eliminate the overhead.
    RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
    RewriteRule .* - [E=BASE:%1]

    # Sets the HTTP_AUTHORIZATION header removed by Apache
    RewriteCond %{HTTP:Authorization} .+
    RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

    # Redirect to URI without front controller to prevent duplicate content
    # (with and without `/index.php`). Only do this redirect on the initial
    # rewrite by Apache and not on subsequent cycles. Otherwise we would get an
    # endless redirect loop (request -> rewrite to front controller ->
    # redirect -> request -> ...).
    # So in case you get a "too many redirects" error or you always get redirected
    # to the start page because your Apache does not expose the REDIRECT_STATUS
    # environment variable, you have 2 choices:
    # - disable this feature by commenting the following 2 lines or
    # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
    #   following RewriteCond (best solution)
    RewriteCond %{ENV:REDIRECT_STATUS} =""
    RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]

    # If the requested filename exists, simply serve it.
    # We only want to let Apache serve files and not directories.
    # Rewrite all other queries to the front controller.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ %{ENV:BASE}/index.php [L]

<IfModule !mod_rewrite.c>
    <IfModule mod_alias.c>
        # When mod_rewrite is not available, we instruct a temporary redirect of
        # the start page to the front controller explicitly so that the website
        # and the generated links can still be used.
        RedirectMatch 307 ^/$ /index.php/
        # RedirectTemp cannot be used instead
i replaced my .httaccess to one from a new download of CI4 and strangely it all worked.

I changed public $baseURL = ''; //thats my localhost

to :

 $baseURL= ''; //my live domain

I then from cpanel installed "letsencrypt" ; i went to edit .httacess and noted
letsencypt has over written it.

https now seems to be working though at
Great that you got it all sorted out. Maybe letsencrypt failed to auto patch it before.