search

CodeSleeve / asset-pipeline

This Laravel 4 package provides a very simple and easy to use asset pipeline. It was heavily inspired by the Rails asset pipeline. We make use of the wonderful Assetic package to help with pre-compliation!
http://www.codesleeve.com
MIT License
491 stars 53 forks source link

Assets over SSL #196

Closed Jamesking56 closed 9 years ago

Jamesking56 commented 9 years ago

Hello,

I'm converting my Laravel application from Non-SSL to using SSL. How can I get the include tags generated by Asset-Pipeline to use the SSL version of my URL?

mrtnpro commented 9 years ago

+1

mpampols commented 9 years ago

+1

evantishuk commented 9 years ago

So, the base urls are generated here: https://github.com/CodeSleeve/asset-pipeline/blob/master/src/Codesleeve/AssetPipeline/Composers/JavascriptComposer.php#L15 and https://github.com/CodeSleeve/asset-pipeline/blob/master/src/Codesleeve/AssetPipeline/Composers/StylesheetComposer.php#L15 and https://github.com/CodeSleeve/asset-pipeline/blob/master/src/Codesleeve/AssetPipeline/Composers/ImageComposer.php#L15

AFAIK, that's the same url function as Laravel's core helper http://laravel.com/docs/helpers#urls. This ties it back to the rather unfortunate situation with how url protocols are handled with Laravel and Symfony. There's no way to just create a protocol agnostic link; they always have a protocol.

I have most of the routes on my application being manually forced to SSL roughly following this approach: http://stackoverflow.com/questions/19967788/laravel-redirect-all-requests-to-https. Looks like:

Route::filter('force.https', function()                                         
{                                                                               
  if(!Request::secure())                                                        
  {                                                                                                                            
    $data  = Input::all();                                                      
    $query = http_build_query($data);                                           
    $query = $query ? "?".$query : null;                                        
    return Redirect::secure(str_replace('http:', 'https:', URL::current().$query))->withInput();
    // return Redirect::secure(Request::getRequestUri()); /* broken on my development environment, but probably the "right" way to do this */
  }                                                                             
});

This, however, is redundant because I also have Apache setup to force all traffic to be secure... I still force the routes for portability reasons, but I digress.

I'm not 100% sure if it's peculiar to my environment, but somehow Laravel knows I want my routes to be secure. For example, when I call url() it correctly returns https://mydomain.tld and if I call url('/', array(), false) (third parameter is boolean flag for secure/insecure), it will force the protocol to vanilla http and return http://mydomain.tld. Clearly, it's picking up that https is intended as the default on my environment.

So, you may want to try messing with forcing your routes to https or with your Apache config to see if it just works.

FWIW, this issue was brought up before (https://github.com/CodeSleeve/asset-pipeline/issues/31) but the package and Laravel have undergone some significant changes since.

stewartadam commented 9 years ago

@Jamesking56 did you resolve this, and if so, what worked? Otherwise this should stay open.

Once issue I'm seeing is that if the site is mixed HTTP and HTTPS, the asset pipeline will cache URLs using whatever protocol happened to be active at the time of generation. If that happened to be a non-secured page, then assets on HTTPS fail to load due to URLs pointing to mixed content.