Mixed Content errors when using Trusted Proxy middleware and the default basset disk

[scottbradybuckii]

When trying to install Backpack 7 on a Laravel 12 installation, every CSS and JS asset that was getting served was blocked by the browser with a "Mixed Content" error message. This is because our site is behind a reverse proxy, but the weird part was that we had already setup the $middleware->trustProxies(at: '*'); line in our bootstrap/app.php file, which should have correctly allowed the url() helper function to generate "https" urls.

After a bit of digging around, I discovered that if the filesystems.disks.basset config isn't defined, the BassetServiceProvider.php file generates a config with the following code:

config(['filesystems.disks.basset' => [
    'driver' => 'local',
    'root' => storage_path('app/public'),
    'url' => url('').'/storage',
    'visibility' => 'public',
    'throw' => false,
]]);

The only issue is that the url() function in this code does not know anything about the trusted proxies set in the middleware above, because it is running too soon (inside a Service Provider). It looks like this issue was introduced in this commit: 310d331#diff-23625bed93cfb2bca4092ecb9897ba66ca129414e56f87e027214d1f579daa10

My fix for now was just adding the below config into my filesystems.php config file, but it would probably be best to switch back to env('APP_URL') instead of url(''), since middleware is not taken into account in ServiceProviders:

'basset' => [
    'driver' => 'local',
    'root' => storage_path('app/public'),
    'url' => env('APP_URL').'/storage',
    'visibility' => 'public',
    'throw' => false,
],

[backpack-ai-bot]

CrawlChat Answer:

This is a well-documented issue involving the interaction between Backpack's Basset disk configuration, Laravel's trusted proxy middleware, and service provider initialization timing.

The Problem:

When filesystems.disks.basset isn't explicitly configured, the BassetServiceProvider dynamically generates it using url(''), which runs during service provider boot—before middleware has a chance to process the request context. This means the url() helper doesn't know about your reverse proxy configuration, causing it to generate HTTP URLs instead of HTTPS, triggering mixed content errors in the browser.

Why It Happens:

Service providers execute during the bootstrap phase, which occurs before HTTP middleware runs. The trusted proxy middleware that would normally tell Laravel about your HTTPS setup hasn't been applied yet, so url() generates URLs based on incomplete context.

Your Solution (Recommended):

Define the basset disk explicitly in config/filesystems.php:

'basset' => [
    'driver' => 'local',
    'root' => storage_path('app/public'),
    'url' => env('APP_URL').'/storage',
    'visibility' => 'public',
    'throw' => false,
],

Using env('APP_URL') is more reliable since it's evaluated at configuration time, not at service provider runtime.

Alternative:

Ensure your APP_URL in .env is set to the correct HTTPS URL if you're behind a reverse proxy.

Would you like guidance on properly configuring reverse proxy trust in Laravel 12?

ℹ️ Please note our AI Bot does not reply to follow-ups, this will be the only AI answer in this thread. If the AI helped you find the answer, please mark it as answered or write details below so it can learn. Then close the conversation. If not, please give more information for when a human reads this. ℹ️