Skip to main content

How to fix links without https in

A few days ago I got a warning in the Facebook Debugger that the canonical routes of were pointing to the http version, without that of Securitè.

Browsing the Metatag issues, I discovered that this happens when there is some kind of reverse proxy, including CDNs. And sure enough, I suddenly fell that serves used to serve content from a CDN (I just found out that now it only happens on the more expensive plans, maledetti).

The solution to the problem is to add these lines in the settings.php file

$settings['reverse_proxy'] = TRUE;
$settings['reverse_proxy_addresses'] = array($_SERVER['REMOTE_ADDR']);

Even without CDN, it seems that the infrastructure makes use of some reverse proxy or similar. I have not been able to find more information about the exact infrastructure, but in a ticket they have confirmed to me that this is correct.

It is also noteworthy that this information is not present in Drupal's documentation in nor in their settings.php templates

Since the IP range is variable, you have to use the array($_SERVER['REMOTE_ADDR']) value. Drupal warns that this value makes you susceptible to IP spoofing but from they tell me that it is a private range and is not susceptible to this kind of problems.

Extra ball: an article with more info about why reverse_proxy entries in Drupal8/9 and the death of Drupal 7's mythical $base_url.