lundi 11 juin 2018

Laravel on Heroku enforces HTTP

I have a simple route which handles redirections to the right tracking links from the database.. The route itself looks like this -

Route::get('/{language}/go/{operator}', function($language, $operator) {
    $operator = Operator::where('language',$language)->where('name',$operator)->first();
    $tracking_url = $operator->visit_url;
    if( isset($_GET['session_id']) ) $session_id = strip_tags($_GET['session_id']);
    else $session_id = 1;

    if( $operator->dynamic_parameter ) {
        $full_url = $tracking_url.'&'.$operator->dynamic_parameter.'='.$session_id;
    }
    else {
        $full_url = $tracking_url;
    }
    return redirect($full_url)->header('Referrer-Policy', 'no-referrer');
});

The whole website resides on HTTPS (handled by heroku) and as an extra layer for the redirection chain I added 2 more things -

1) Adding some extra server configuration (apache_app.conf) and load it with procfile -

apache_app.conf

DirectoryIndex index.php index.html index.htm
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

procfile

web: vendor/bin/heroku-php-apache2 -C apache_app.conf public/

2) Forcing all my routes to be redirected via https, using this snippet at the top of web.php -

if (env('APP_ENV') === 'prod') {
    \URL::forceScheme('https');
}

While trying to access my app via http:// - I -am- being redirected to the https:// version and it seems ok. But when I'm investigating the redirection chain using the route's /en/go/xxxx endpoint, I get some weird chaining which includes first a redirection back to the http version, and then redirects it back to the https one. So when trying to load one of these tracking urls inside an iframe - I get an error -

Mixed Content: The page at 'https://www.website.com/us/reviews/xxxxx' was loaded over HTTPS, but requested an insecure resource 'http://www.website.com/us/go/xxxxx?session_id=1'. This request has been blocked; the content must be served over HTTPS.

And the redirection chain looks like this -

Result
https://www.website.com/us/go/xxxxx/?session_id=332
301 Moved Permanently
http://www.website.com/us/go/xxxxx?session_id=332
301 Moved Permanently
https://www.website.com/us/go/xxxxx?session_id=332
302 Found
https://track.xxxxx.com/visit/?bta=123456&nci=654321&utm_campaign=website_camapign&afp=332


via Chebli Mohamed
Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)