Yii2: Response::redirect don't keep https on url

http://www.yiiframework.com/doc-2.0/yii-helpers-baseurl.html#to()-detail you can use Url::to(['site/index'], true) to generate the url that you will pass to the redirect.

if you want to have ALL the url to use https by default you can configure http://www.yiiframework.com/doc-2.0/yii-web-urlmanager.html#setBaseUrl()-detail this property on your config/main.php

According to the API doc, a string is considered to be an url (like "http://example.com").

So use array instead:

Yii::$app->getResponse()->redirect(['/site/index']);

First thing this solution:
Yii::$app->getResponse()->redirect(['/site/index']);
return the same result than this:
Yii::$app->getResponse()->redirect('/site/index');
The url is created without the https.

The other solution configure the baseUrl to the one with https then use Url::to(['site/index'], true) and pass it to redirect, this works but is not a ideal solution. For example I get this problem in this plugin https://github.com/codemix/yii2-localeurls and in https://github.com/dektrium/yii2-user. There are many other plugins that use redirect and where people that need the full use of https will be affected.

A simple login system that implement yii\webUser we have this problem for example we have for default: 'loginUrl' => ['user/login']

When we create a controller with a rule to allow only registered users ( 'roles' => ['@'])
this will redirect to a url with urls even if we are using https.

I think the redirect should check keep using the same protocol, without we need to take extra actions. This should be the normal behavior, if the website is using http and we do a redirect it keeps with http if we are using https it keeps with https.

For example I get this problem in this plugin https://github.com/codemix/yii2-localeurls and in https://github.com/dektrium/yii2-user. There are many other plugins that use redirect and where people that need the full use of https will be affected.

Then configure the url manager to use https on all requests.

The doc clearly says:

Any relative URL will be converted into an absolute one by prepending it with the host info of the current request.

So it should keep the same schema and if you look at the code it's actually implemented.

@invaderhd Could it be that Request::getIsSecureConnection() does not work right for you? Because that's what's used in Request::getHostInfo().

Thank you mikehaertl, this was exactly the problem the Request::getIsSecureConnection() return allways false. I'm using apache with nginx as reverse proxy and this $_SERVER['HTTPS'] was never set.

I do a quick fix adding:
$_SERVER['HTTPS']='on';
On index.php in frontend/web and backend/web now the secureconnection is checked and everything works fine.

@invaderhd You should probably better fix this in your nginx configuration:

proxy_set_header        X-Forwarded-Proto $scheme;

I fixed this by using

fastcgi_param   HTTPS   on;

in the nginx conf, because for any good nginx configuration, one should have set

set_real_ip_from 127.0.0.1/32; # load-balancer CIDR
real_ip_header X-Forwarded-For;
real_ip_recursive on;

and when this happens, the real IP of the end-user gets into nginx logs and in Request:: getRemoteIP() so the Request->trustedHosts gets useless, because all relevant headers will be filtered out. Not so well thought through... from a DevOps point of view.

@razvanphp

fastcgi_param   HTTPS   on;

Thank you.
It worked for me.