0

Recently I wanted to secure my rails 4.2.1 app with https the easiest way. I found this question as well as this answer about WEBrick+SSL, both referencing to this post which is unfortunately not reachable any more. Then I found this answer recommending to use thin instead (naming other advantages of using thin). Then I followed this step-by-step guide, finally running thin start --ssl --ssl-key-file .ssl/key.pem --ssl-cert-file .ssl/cert.pem -e production with self-signed certificate. My config/environments/production.rb contains config.force_ssl = true.

Now I would like to access the web normally by typing example.com expecting to be automatically redirected to https://example.com but this does not happen. Typing looong https://example.com works fine. Here is a 2-year-old question with similar issue but any answer doesn't work either and something could have also changed since then.

How can I make it work? Or is there any different recent but simple enough way to start using ssl with rails? Thanks!

Community
  • 1
  • 1
fakub
  • 327
  • 2
  • 13

2 Answers2

3

In your config/environment/production.rb file make sure you have the following:

config.force_ssl = true

Also make sure to update your cookie settings in config/initializers/session_store.rb:

Rails.application.config.session_store :cookie_store, key: '_secure_domain_session', httponly: true, secure: true

You also need to specify secure: true in the config/initializers/devise.rb file if you are using Devise

Also make sure to clear the cache on your browser

blnc
  • 4,384
  • 1
  • 28
  • 42
  • config/environments/production.rb - check, config/initializers/session_store.rb - check, I'm not using devise, browser cache - check, thin restarted - of course. Still not automatically redirecting to https :( – fakub Aug 03 '15 at 08:23
  • Why I don't have those issues on ngrok? – knagode Jul 31 '23 at 08:53
0

If you have a load balancer in front of your website that is terminating the TLS/SSL and then connecting via HTTPS to the backend, this would mean the connection from the load balancer to your server is HTTPS, even though the client connection to the load balancer is not. Your load balancer should send the X-Forwarded-Proto header which Rails should take into account.

If you are running Rails under Passenger inside Nginx (or Apache), you may need to configure that to forward the header and/or port.

passenger_set_header X-Forwarded-Proto $http_x_forwarded_proto;
passenger_set_header X-Forwarded-Port $server_port;

Note, however, that Rails looks first at the HTTPS environment variable before it looks at the header, and that might be set to "on" because connection to your web server is HTTPS.

In that case you can redirect all traffic from HTTP to HTTPS inside Nginx:

if ($http_x_forwarded_proto != 'https') {
    rewrite ^ https://$host$uri permanent;
}
jwadsack
  • 5,708
  • 2
  • 40
  • 50