Laravel not using https for assets and dynamic routes

Question

I've changed my APP_URL=https://example.com, I've added this into my AppServiceProvider's boot method:

/** Enable HTTPS */
if(env('REDIRECT_HTTPS')) {
    $url->forceSchema('https');
}

And I've run php artisan cache:clear, php artisan view:clear and php artisan config:clear. I still can't get assets and dynamic routes to use https. Just getting the error:

Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://example.com/css/app.css'. This request has been blocked; the content must be served over HTTPS.

I know I can use secure_asset instead of asset and that should work, but I need this to be dynamic, as I still need to serve the http version of the site for now on another domain.

Answer 1

The asset() helper relies on a couple possibilities to determine whether to make a HTTP or HTTPS URL:

• $_SERVER['HTTPS'] being on. This is Apache's way of doing things. For nginx, you can set that server param yourself in the config.
• $_SERVER['HTTP_X_FORWARDED_PROTO'] being https.

If you're behind a load balancer, it's probably sending the X-Forwarded-Proto header, but Laravel doesn't trust it by default because it can be set by a malicious user in some cases. You can tell Laravel to trust this header coming from your load balancer using the TrustedProxy package. (edit: This is now built into Laravel)

See also: Symfony2: getScheme does not return 'https' (Laravel uses Symfony's getScheme() function for this)