Ruby on Rails Thin and force_ssl, empty response over HTTP

Question

I've set up several Ruby on Rails servers lately on CentOS 7.x using Thin as the web server and an SSL Certificate from Comodo.

I have enabled the force_ssl option in my config/environments/production.rb file, and I'm running my server with the command:

RAILS_ENV=production thin start -a <IP> -p 3000 --ssl --ssl-key-file <KEY FILE PATH> --ssl-cert-file <CERT FILE PATH>

I'm using devise, so in config/initializers/devise.rb I set

config.rememberable_options = { secure: true }

I also set some config in config/initializers/session_store.rb

Rails.application.config.session_store :cookie_store, key: '_secure_<domain>_session', httponly: true, secure: true

When I first access my server over HTTP from an internet browser I get an empty response message (tested with multiple browsers and multiple computers). When I access it over https directly it resolves fine (and SSL is working perfectly), and when I next try to access over http it redirects just fine. I'm not certain what I can do to fix this bar using nginx or Apache.

Here are the other questions I've read:

• Rails with thin and ssl: http request not auto-redirected to https
• Ruby on rails: force_ssl not redirecting from http to https when using thin start --ssl

Answer 1

Thin can only listen on one port and can only serve either SSL or non-SSL requests per instance. When thin is started with --ssl it attempts to process inbound connections as TLS connections, and will drop those which it can't negotiate (ie, plain HTTP requests).

You need to use nginx (or some other reverse proxy) to listen on multiple ports and terminate SSL, and then forward to Thin. Otherwise, you'll need to run multiple Thin instances, one serving SSL and the other not.