Running HTTP local application exposerd by PROXY on HTTPS (HowTo)

[robbykrlos]

This is a note to whomever may concern.

Prerequisites

• Are you running the latest version?
• Are you reporting to the correct repository?
• Did you check the documentation?
• Did you perform a cursory search?

Description

This is not an issue, just an information that may help others.

I have a slightly complicated infrastructure setup that I cannot change:

• production server is hosted in an internal network (no visibility outside)
• it was requested to be configured on http://localhost:8080
• there is a load-balancer in front that deals with proxying and also deals with https (ssl certificates), ex: https://myapp.net

After deploying Laravel-Enso, I have considered that these changes are needed:

###.env

APP_URL=https://myapp.net
SANCTUM_STATEFUL_DOMAINS=myapp.net:443,myapp.net

###client/.env

API_URL=https://myapp.net

Ok. but this works until I try to press the login button. When I will get this API call blocked by browser because of "Mixed block":

scheme | http
host | myapp.net
filename | /api/login

So, even though all configuration is pointing my application to https, the login route /api/login is using http.

Then I've traced down to the /api/meta API call made when the login page is loaded, specifically to :

-vendor/laravel-enso/core/routes/api.php
--vendor/laravel-enso/core/src/Http/Controllers/Guest.php
---vendor/laravel-enso/core/src/Http/Responses/GuestState.php

return [
            'appName' => config('app.name'),
            'appUrl' => url('/').'/',
            'extendedDocumentTitle' => config('enso.config.extendedDocumentTitle'),
            'showQuote' => config('enso.config.showQuote'),
        ];

I was thinking initially that this is a bug, but then I looked at the url method:
-vendor/laravel/framework/src/Illuminate/Foundation/helpers.php @ function url
--vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php @ public function to($path, $extra = [], $secure = null)
---vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php @ public function formatScheme($secure = null)
----vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php @ public function getScheme(): string
-----vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php @ public function isSecure(): bool

/**
     * Checks whether the request is secure or not.
     *
     * This method can read the client protocol from the "X-Forwarded-Proto" header
     * when trusted proxies were set via "setTrustedProxies()".
     *
     * The "X-Forwarded-Proto" header must contain the protocol: "https" or "http".
     */
    public function isSecure(): bool
    {
        if ($this->isFromTrustedProxy() && $proto = $this->getTrustedValues(self::HEADER_X_FORWARDED_PROTO)) {
            return \in_array(strtolower($proto[0]), ['https', 'on', 'ssl', '1'], true);
        }

        $https = $this->server->get('HTTPS');

        return !empty($https) && 'off' !== strtolower($https);
    }

So, finally, I only needed to make sure that my Proxy server will have this header set:

Header add X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Proto "https"