When I deployed my Laravel 12 app, I realized that securing it with HTTPS was non-negotiable. HTTPS encrypts data between the server and users, protecting sensitive information like passwords and payment details.
Adding an SSL certificate to my Laravel app not only boosted security but also improved user trust and SEO rankings.
In this guide, I’ll walk you through how I enabled HTTPS on my Laravel 12 app using a free SSL certificate from Let’s Encrypt, assuming the app is hosted on an AWS EC2 instance with Nginx.
Before we start, ensure you have:
Let’s dive into securing your Laravel app!
I use Let’s Encrypt because it’s free, reliable, and widely supported. To get started, I install Certbot, a tool that automates SSL certificate issuance, on my Ubuntu-based EC2 instance:
sudo apt update
sudo apt install -y certbot python3-certbot-nginx
This installs Certbot and its Nginx plugin, which simplifies the configuration process.
With Certbot installed, I request an SSL certificate for my domain:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Replace yourdomain.com
with your actual domain. Certbot will:
If successful, Certbot stores the certificate in /etc/letsencrypt/live/yourdomain.com/
.
Certbot automatically updates your Nginx configuration to use the SSL certificate, but I double-check the setup. I open my Nginx configuration file:
sudo nano /etc/nginx/sites-available/laravel
Here’s an example of how my configuration looks after Certbot’s changes:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
root /var/www/laravel/public;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\. {
deny all;
}
}
I verify the configuration and restart Nginx:
sudo nginx -t
sudo systemctl restart nginx
To ensure my Laravel app uses HTTPS, I update the .env
file in my project directory (/var/www/laravel
):
nano /var/www/laravel/.env
I set the APP_URL
to use https
:
APP_URL=https://yourdomain.com
If my app enforces HTTPS, I also update config/app.php
to force HTTPS redirects:
'url' => env('APP_URL', 'https://yourdomain.com'),
'force_scheme' => 'https',
Then, I clear the configuration cache:
cd /var/www/laravel
php artisan config:cache
Let’s Encrypt certificates expire every 90 days, so I set up automatic renewal. Certbot includes a cron job by default, but I test it to be sure:
sudo certbot renew --dry-run
If the dry run succeeds, the renewal is configured correctly. The system will renew the certificate automatically before it expires.
Open a browser and visit https://yourdomain.com
. The Laravel app should load securely with a padlock icon in the address bar. Also, use an SSL checker tool (like SSL Labs) to verify the certificate installation.
If I encounter issues, I check the Nginx logs (/var/log/nginx/error.log
) or Laravel logs (/var/www/laravel/storage/logs
).
To make my app even more secure, I:
listen 443 ssl http2;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Securing my Laravel 12 app with HTTPS was straightforward with Let’s Encrypt and Certbot. Not only does HTTPS protect my users’ data, but it also builds trust and improves my site’s SEO. By following these steps, I got my app running securely on AWS EC2 with a free SSL certificate. I hope this guide helps you secure your Laravel app with confidence.
Q: Why do I need HTTPS for my Laravel app?
A: HTTPS encrypts data, protects user information, and boosts SEO rankings. It’s essential for any public-facing app.
Q: Can I use a paid SSL certificate instead of Let’s Encrypt?
A: Yes, purchase an SSL certificate from providers like DigiCert or GoDaddy and configure it manually in Nginx.
Q: What if my domain isn’t pointing to my EC2 instance?
A: Update your domain’s DNS records (A record) to point to your EC2 public IP. Wait for DNS propagation (up to 48 hours).
Q: Why is my HTTPS site showing a “Not Secure” warning?
A: Ensure your SSL certificate is installed correctly and that all resources (images, scripts) are loaded over HTTPS.
Q: How do I renew my Let’s Encrypt certificate?
A: Certbot handles renewals automatically. Run sudo certbot renew --dry-run
to test the setup.
You might also like :