One day in your Laravel app, you were required to redirect all http requests to https but need to make a certain URL route accessible via http for a certain reason; perhaps a portion of your javascript code needs to redirect to http URL but it can't because redirection to secure URL to insecure is prohibited. Therefore, in cases like this, you need to just allow just one URL to make an http connection.
NOTE: There are obvious security implications here so don't just follow this blindly and understand if this is really the solution you're looking for. The nginx config can somehow be improved, I just don't have the time yet. It sure do look redundant.
- Redirect everything from
httptohttps
http://example.com/ -> https://example.com
http://example.com/login -> https://example.com/login
https://example.com/login -> https://example.com/login
- But make an exception like below:
http://example.com/except -> http://example.com/except
https://example.com/except -> http://example.com/except
Route::get('except/{target}', ['as' => 'except', 'uses' => 'MyController@getExcept']); // translate to http(s)://example.com/except/{blablabla}server {
listen 80;
server_name example.com;
#access_log /var/log/example.com.access.log;
error_log /var/log/example.com.error.log warn;
root /srv/www/example.com/public;
index index.php;
# Redirect all http to https
location / {
return 301 https://example.com$request_uri;
}
# URL exception so anything that goes by the URL http://example.com/except/ will just work as it is
location /except/ {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443 ssl;
# SSL via LetsEncrypt
ssl_certificate /root/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/example.com/example.com.key;
# Strengthening security
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_dhparam /etc/ssl/certs/dhparams.pem;
server_name example.com;
#access_log /var/log/example.com.access.log;
error_log /var/log/example.com.error.log warn;
root /srv/www/example.com/public;
index index.php;
# Just process requests normally
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Redirect https request of this exception URL to http
location /except {
return 301 http://example.com$request_uri;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
}