A Laravel 5.1 Application behind a BigIP F5 load-balancer applicance, which performed the SSL termination. The traffic from F5 to Laravel is only over Port 80 (internal 'secure' network) and Laravel itself thinks it is insecure, and thus all URLs to internal resources were 'http'. We also wanted to maintain the ability to serve certain unauthenticated content over HTTP.
These F5 load-balancers can roll all connections up to HTTPS, however in this instance we did not wish to perform this as the Laravel application is designed to intercept connections for another decommissioned application which served SSL and Non-SSL connections.
-
An iRule was added to the Virtual Server on the F5 device to include a 'HTTPS' 'on' header when the request to the F5 device was HTTPS
-
A ServiceProvider was added to Laravel to check for this and call the required 'forceSchema()' function call when required.
-
Add the ServiceProvider to
config/app.phpin theprovidersarray, sepecifically under the 'Custom Providers'/* * Custom providers... */ App\Providers\SecureRoutingServiceProvider::class,
Your specific configuration may differ from the above. This code may work with other load balancer devices or services such as CloudFlare as they send a different header for HTTPS requests, and as such the SecureRoutingServiceProvider.php code may not need the call to setTrustedHeaderName() for example.
You may like to check the IP provided by getClientIp() against a whitelist before allowing it to be given Trusted Proxy status (infact I would insist on it!). In our environment nothing but the load balancers themselves can get to our web servers - but clearly your environment might be vastly different to this especially if you're using a service like CloudFlare.