cakephp and https redirects

I have this in my .htaccess file and it works great. I have it ignoring local and staging URLs, like if I had http://local.example.com it will not force redirection for that url. Those lines can be removed. I like using the .htaccess approach over the one in the AppController. This is also the top level .htaccess file in a standard CakePHP install on a shared hosting environment. There are three .htaccess files in a normal Cakephp install.

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteBase /

    # FORCE SSL REDIRECTION
    RewriteCond %{ENV:HTTPS} !on [NC]
    RewriteCond %{HTTP_HOST} !^local [NC]
    RewriteCond %{HTTP_HOST} !^staging [NC]
    RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

    RewriteRule ^$ app/webroot/ [L]
    RewriteRule (.*) app/webroot/$1 [L]
</IfModule>

Check your hosting environment and make sure your allowed to have .htaccess files. Need to make sure ModRewrite is installed and working as well.


So I couldn't find a good way to force my entire site to https without getting redirect loops and errors. This will work on a page level as well if you modify the individual controller for that page). anyway, this is what I finally did after messing with this for a couple of days.

Inside my controllers folder in the AppController.php I placed the following code directly under:

public function beforeFilter() {

=================================

 // Force to SSL
 $this->request->addDetector('ssl', array(
    'env' => 'HTTP_X_FORWARDED_PROTO',
    'value' => 'https'
));
if($_SERVER['HTTP_X_FORWARDED_PROTO'] == "http") {  return $this->redirect('https://' . env('SERVER_NAME') . $this->here); }

So what this does is first check for whether it's http or https. If it's http, then I redirect the page to it's https version. By putting it in the AppController.php controller ... this will secure the entire site.

Hope this helps someone else who is also struggling.


The Last Method was for CakePHP2. The following is updated slightly for CakePHP3:

Inside my controllers folder in the AppController.php do the following:

1.******** Add In The Initialize Function *********


public function initialize()
{
    parent::initialize();

    /* ADD THIS NEW LINE */
    $this->loadComponent('Security', ['blackHoleCallback' => 'forceSSL']); // SSL SECURITY
  1. ************ Add A New Public Function **********


    public function forceSSL()
    {
     return $this->redirect('https://' . env('SERVER_NAME') . $this->request->here);
    }
    

3.**** Add this in the beforeFilter function ******


public function beforeFilter(Event $event)
{

    /* ADD 2 NEW LINES */
    parent::beforeFilter($event); 
    $this->Security->requireSecure();

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

See https://wiki.apache.org/httpd/RewriteHTTPToHTTPS It worked for me.