Force https

[michielgerritsen]

Hey,

I work on different types of projects. Mostly Magento, some Wordpress/Woocommerce, some Laravel. Magento and WordPress have a baked-in "base URL" option: If you don't visit that URL but hit the application, you will be redirected. That way, you can force HTTPS for a site.

Laravel is a bit different; it doesn't force the base URL on you. Sure, you can add middleware for that, but I prefer to handle this at the server level. But this introduces a paper cut for working locally. For some reason, Chrome really likes to visit .test site over HTTP by default. It's annoying because it can take some time before you realize you are working on HTTP instead of HTTPS. You don't work on the same cookie, so you aren't logged in anymore. When logging in with 1Password, you get a warning because the page is served over HTTP, but the credentials are saved on a HTTPS version. Small annoyances.

I know I can update the nginx/apache configuration. But I try to keep those configurations as clean as possible, to not get into muddy waters in the future.

So I would propose to add a new config.yaml flag:

force_https: true|false (default: false)

When enabled, visitors of the non-HTTPS version will get redirected to the HTTPS version of the URL.

[rfay]

Browsers often do the redirect also (note the comment on https://docs.ddev.com/en/stable/users/usage/commands/#launch )

Why do you think this kind of redirect is important for DDEV (and local development)? DDEV offers the HTTPS URL by default even though it also serves the HTTP URL.

[michielgerritsen]

My main point is that it's a papercut. I know browsers prefer https, but that isn't always the case. I may have entered the URL incorrectly in the past, and my browser remembered it. I'm not sure. I have it with multiple sites.

This feature is not required, but is mainly a (very, imho) nice-to-have. It brings the development environment a little bit closer to the production environment.

[GuySartorelli]

I would caution that forcing HTTPS through DDEV can mean developers expect their site to be forced to HTTPS in production and forget to set whatever-needs-to-be-set for that application. I.e. it can lead to a mismatch between development and production environments.

If this is implemented the documentation should probably highlight this risk.

[rfay]

Agreed, it seems like this is a bad thing, given that DDEV is for local development, and almost always ends up at https anyway.

[rfay]

Are you aware of these ways of handling this?

• traefik configuration
• nginx snippet (.ddev/nginx) with

    if ($http_x_forwarded_proto = "http") {
      return 301 https://$host$request_uri;
    }

[michielgerritsen]

I wasn't aware of nginx snippets, I will check that out. Thanks.