I have a Symfony 3.4 project with public and admin areas.
(FOSUserBundle : 2.1)

When an anonymous user tries to access to a page beginning with /admin, FOSUserBundle does an automatic redirection to the login page.

Everything was working well when my project was on HTTP protocol but, now, this project is completely under HTTPS.

And I have a problem when I try to visit https://myproject/admin -> it redirects on http://myproject/login instead of HTTPS (even though all URLs are automatically redirected in HTTPS) and I have this error on my browser : ERR_CONNECTION_REFUSED

If I visit directly https://myproject/login -> it works but the redirection after log in (to /admin) is done in HTTP too (and I have again the same ERR_CONNECTION_REFUSED error).

The authentication works because I am well logged in if I visit admin area in HTTPS.

It also happens when I log out -> it redirects to the home of the project but in HTTP instead of HTTPS.

It seems that every redirection managed by FOSUserBundle is done in HTTP.

So, I checked the Symfony documentation to force HTTPS on specific URLs. I tried this :

// security.yml

access_control:
    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
    - { path: ^/admin, roles: ROLE_USER, requires_channel: https }

But, when I visit /admin, there is no more redirection to login page and I have this error now : ERR_TOO_MANY_REDIRECTS

So, I don't know what to do now...

security.yml :

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        login:
            pattern:   ^/login$
            anonymous: ~

        main:
            anonymous: true
            pattern:   ^/
            form_login:
                provider:            fos_userbundle
                login_path:          /login
                default_target_path: /admin     # redirect after login

                # csrf token options
                csrf_parameter:       _csrf_token
                csrf_token_id:        authenticate
                csrf_token_generator: security.csrf.token_manager

            logout_on_user_change:    true
            logout:
                path:   /logout
                target: /

            remember_me:
                secret:   '%secret%'
                lifetime: 604800       # 1 week in seconds
                path:     /

    access_control:
        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, roles: ROLE_USER }

You could try forcing https with a rewrite in the .htaccess file (in the public folder of your project).

<IfModule mod_rewrite.c>
    Options -MultiViews
    RewriteEngine On

    # redirect to https behind a load balancer
    RewriteCond %{HTTP:X-Forwarded-Proto} =http
    RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
</IfModule>

the redirection after the login and logout are not handled by FOSUserBundle, because FOSUserBundle does not handle the login and logout at all. This is handled by Symfony's SecurityBundle.

For the redirection loop, my idea is that you might be deploying this being a SSL-terminating load balancer (and so your actual webserver always receives requests in HTTP) without configuring it as a trusted proxy (and so Symfony does not trust the X-Forwarded-Proto header set by the load balancer): https://symfony.com/doc/current/deployment/proxies.html