CodeIgniter Forums
http to https - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forum-28.html)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forum-30.html)
+--- Thread: http to https (/thread-75776.html)



http to https - captain-sensible - 03-16-2020

I know CI4 is not quite production ready and I also know that when on a live site settings should be to "production" however I have a development domain and hosting site and i have time on my hands now, which i might not get later.

I have got the basics of a generic web set up using CI4 at : http://www.benxmidia.com

(midia is deliberately spelt wrong before someone mentions it )

All the basics are working :
                                            bootstrap4 & breakpoints
                                          contact form to my email
                                        and a light CMS feature and login
                                       a basic captcha

now i now want to try to shift from http to https

On my hosting via cpanel there is a "lets encrypt" functionality.
Now in the docs i did see that in a controller i could use https_force(0 in a controller. Can someone
elaborate on steps to get CI4 to work with https on the basis that I have set up "lets encrypt"


RE: http to https - jreklund - 03-16-2020

CI 4 are declared stable, and are now on 4.0.2. With lots of development being done behind the scene.

Open up your /public/.htaccess and change Line 26
Code:
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

You will also need to change your app.baseURL to https:
https://codeigniter4.github.io/userguide/installation/running.html#initial-configuration-set-up

I think you are referring to the following in the app/config/App.php. Personally I like to do all redirects on server level, as it will give you best performance. If it can't be done, an option have been provided, with said config.
Code:
public $forceGlobalSecureRequests = false;

If you want to add HSTS as CI4 does, you need to add the following to your .htaccess.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Code:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000;"
</IfModule>



RE: http to https - captain-sensible - 03-16-2020

thanks very much for that ; i can't touch server as its not mine but you have given me options to try which i appreciate.


RE: http to https - jreklund - 03-16-2020

Changing the .htaccess are what I mean by server level in this regard. Sorry for the confusion.


RE: http to https - captain-sensible - 03-16-2020

(03-16-2020, 01:38 PM)jreklund Wrote: Changing the .htaccess are what I mean by server level in this regard. Sorry for the confusion.


 yes think i got it ; the .htaccess in public change:

RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
 

to


RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]


however i had a problem on development with htaccess that csme with CI4 ; i'm running slackeware linux and using virtual host. The .htaccess that came with codeigniter didn't work this one is the one i'm using which works on localhost dev and Ci4 that i have live :


Code:
# Use the front controller as index file. It serves as a fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# start page (path "/") because otherwise Apache will apply the rewriting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl).
DirectoryIndex index.php

# By default, Apache does not evaluate symbolic links if you did not enable this
# feature in your server configuration. Uncomment the following line if you
# install assets as symlinks or if you experience problems related to symlinks
# when compiling LESS/Sass/CoffeScript assets.
# Options FollowSymlinks

# Disabling MultiViews prevents unwanted negotiation, e.g. "/index" should not resolve
# to the front controller "/index.php" but be rewritten to "/index.php/index".
<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Determine the RewriteBase automatically and set it as environment variable.
    # If you are using Apache aliases to do mass virtual hosting or installed the
    # project in a subdirectory, the base path will be prepended to allow proper
    # resolution of the index.php file and to redirect to the correct URI. It will
    # work in environments without path prefix as well, providing a safe, one-size
    # fits all solution. But as you do not need it in this case, you can comment
    # the following 2 lines to eliminate the overhead.
    RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
    RewriteRule .* - [E=BASE:%1]

    # Sets the HTTP_AUTHORIZATION header removed by Apache
    RewriteCond %{HTTP:Authorization} .+
    RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

    # Redirect to URI without front controller to prevent duplicate content
    # (with and without `/index.php`). Only do this redirect on the initial
    # rewrite by Apache and not on subsequent cycles. Otherwise we would get an
    # endless redirect loop (request -> rewrite to front controller ->
    # redirect -> request -> ...).
    # So in case you get a "too many redirects" error or you always get redirected
    # to the start page because your Apache does not expose the REDIRECT_STATUS
    # environment variable, you have 2 choices:
    # - disable this feature by commenting the following 2 lines or
    # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
    #   following RewriteCond (best solution)
    RewriteCond %{ENV:REDIRECT_STATUS} =""
    RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]

    # If the requested filename exists, simply serve it.
    # We only want to let Apache serve files and not directories.
    # Rewrite all other queries to the front controller.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ %{ENV:BASE}/index.php [L]
</IfModule>

<IfModule !mod_rewrite.c>
    <IfModule mod_alias.c>
        # When mod_rewrite is not available, we instruct a temporary redirect of
        # the start page to the front controller explicitly so that the website
        # and the generated links can still be used.
        RedirectMatch 307 ^/$ /index.php/
        # RedirectTemp cannot be used instead
    </IfModule>
</IfModule>



RE: http to https - captain-sensible - 03-17-2020

i replaced my .httaccess to one from a new download of CI4 and strangely it all worked.

I changed public $baseURL = 'http://127.0.0.2'; //thats my localhost

to :


 $baseURL= 'https://www.benxmidia.com/'; //my live domain

I then from cpanel installed "letsencrypt" ; i went to edit .httacess and noted
letsencypt has over written it.


https now seems to be working though at https://www.benxmidia.com


RE: http to https - jreklund - 03-17-2020

Great that you got it all sorted out. Maybe letsencrypt failed to auto patch it before.