ForceSSL in `cwpsecurity` yaml block interferes with custom use of `Director::forceSSL()`

[jakedaleweb]

When using this part of the recipe on a cwp site, if a user sets Director::forceSSL() in their _config.php, for example, their site will not redirect to https on all URLs.

This is because this yaml block https://github.com/silverstripe/cwp-core/blob/master/_config/security.yml#L25 sets ForceSSLPatterns. In order to force SSL with Director a CWP user would have to set the following yaml:

Name: whatever
After: cwpsecurity
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\Control\Middleware\CanonicalURLMiddleware:
    properties:
      ForceSSL: true
      ForceSSLPatterns: null

This isn't necessarily a bug, because the code is doing what it should, but the documentation probably needs to be updated to clarify why Director::forceSSL() doesn't work in _config.php as people would usually expect.

[robbieaverill]

Ideally we'd support it there as well, but encourage people to configure their SSL rules in YAML (or htaccess if using Apache). This could probably be moved to a framework issue, since CanonicalURLMiddleware appears not to be compatible with Director::forceSSL().

[scott1702]

Might also be best to update the docs to opt for the yaml configuration instead of a change in php

[NightJar]

That's the goal that's spurred the investigation resulting in this issue @scott1702 :)