Secure Laravel 12 with HTTPS and SSL Certificate
When I deployed my Laravel 12 app, I realized that securing it with HTTPS was non-negotiable. HTTPS encrypts data between the server and users, protecting sensitive information like passwords and payment details.
Adding an SSL certificate to my Laravel app not only boosted security but also improved user trust and SEO rankings.
In this guide, I’ll walk you through how I enabled HTTPS on my Laravel 12 app using a free SSL certificate from Let’s Encrypt, assuming the app is hosted on an AWS EC2 instance with Nginx.
Prerequisites
Before we start, ensure you have:
- A Laravel 12 app deployed on a server (e.g., AWS EC2 with Nginx).
- A domain name pointing to your server’s public IP (required for Let’s Encrypt).
- SSH access to your server.
- Basic knowledge of terminal commands.
Let’s dive into securing your Laravel app!
Step-by-Step Guide to Enable HTTPS with an SSL Certificate
Step 1: Install Certbot for Let’s Encrypt
I use Let’s Encrypt because it’s free, reliable, and widely supported. To get started, I install Certbot, a tool that automates SSL certificate issuance, on my Ubuntu-based EC2 instance:
sudo apt update
sudo apt install -y certbot python3-certbot-nginx
This installs Certbot and its Nginx plugin, which simplifies the configuration process.
Step 2: Obtain an SSL Certificate
With Certbot installed, I request an SSL certificate for my domain:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Replace yourdomain.com with your actual domain. Certbot will:
- Ask for an email address for renewal notifications.
- Prompt you to agree to Let’s Encrypt’s terms.
- Verify your domain by checking if it points to your server’s IP.
- Generate and install the SSL certificate.
If successful, Certbot stores the certificate in /etc/letsencrypt/live/yourdomain.com/.
Step 3: Update Nginx Configuration
Certbot automatically updates your Nginx configuration to use the SSL certificate, but I double-check the setup. I open my Nginx configuration file:
sudo nano /etc/nginx/sites-available/laravel
Here’s an example of how my configuration looks after Certbot’s changes:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
root /var/www/laravel/public;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\. {
deny all;
}
}
I verify the configuration and restart Nginx:
sudo nginx -t
sudo systemctl restart nginx
Step 4: Update Laravel’s Configuration
To ensure my Laravel app uses HTTPS, I update the .env file in my project directory (/var/www/laravel):
nano /var/www/laravel/.env
I set the APP_URL to use https:
APP_URL=https://yourdomain.com
If my app enforces HTTPS, I also update config/app.php to force HTTPS redirects:
'url' => env('APP_URL', 'https://yourdomain.com'),
'force_scheme' => 'https',
Then, I clear the configuration cache:
cd /var/www/laravel
php artisan config:cache
Step 5: Set Up Automatic Certificate Renewal
Let’s Encrypt certificates expire every 90 days, so I set up automatic renewal. Certbot includes a cron job by default, but I test it to be sure:
sudo certbot renew --dry-run
If the dry run succeeds, the renewal is configured correctly. The system will renew the certificate automatically before it expires.
Step 6: Test Your HTTPS Setup
Open a browser and visit https://yourdomain.com. The Laravel app should load securely with a padlock icon in the address bar. Also, use an SSL checker tool (like SSL Labs) to verify the certificate installation.
If I encounter issues, I check the Nginx logs (/var/log/nginx/error.log) or Laravel logs (/var/www/laravel/storage/logs).
Step 7: Enhance Security (Optional)
To make my app even more secure, I:
- Enable HTTP/2 in Nginx for faster performance:
listen 443 ssl http2; - Add security headers in Nginx:
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - Update these in the Nginx configuration and restart Nginx.
Conclusion
Securing my Laravel 12 app with HTTPS was straightforward with Let’s Encrypt and Certbot. Not only does HTTPS protect my users’ data, but it also builds trust and improves my site’s SEO. By following these steps, I got my app running securely on AWS EC2 with a free SSL certificate. I hope this guide helps you secure your Laravel app with confidence.
Frequently Asked Questions (FAQs)
Q: Why do I need HTTPS for my Laravel app?
A: HTTPS encrypts data, protects user information, and boosts SEO rankings. It’s essential for any public-facing app.
Q: Can I use a paid SSL certificate instead of Let’s Encrypt?
A: Yes, purchase an SSL certificate from providers like DigiCert or GoDaddy and configure it manually in Nginx.
Q: What if my domain isn’t pointing to my EC2 instance?
A: Update your domain’s DNS records (A record) to point to your EC2 public IP. Wait for DNS propagation (up to 48 hours).
Q: Why is my HTTPS site showing a “Not Secure” warning?
A: Ensure your SSL certificate is installed correctly and that all resources (images, scripts) are loaded over HTTPS.
Q: How do I renew my Let’s Encrypt certificate?
A: Certbot handles renewals automatically. Run sudo certbot renew --dry-run to test the setup.
You might also like :
- Read Also: How to Deploy a Laravel 12 Project on AWS EC2
- Read Also: How To Fix cURL Error 60 SSL Certificate Problem
- Read Also: How To Create Virtual Host In Ubuntu 22.04
- Read Also: How to Uninstall XAMPP in Ubuntu using Terminal
