6

I am deploying an app on Heroku and trying to determine whether the request coming in is secure (request.secure). This is initially returning false on heroku because nginx handles the SSL work and communicates over plain http to the app server. So to let play read the headers that let is know it's a secure request I add:

XForwardedSupport=127.0.0.1

To application.conf as recommended in the play message boards. However, then all requests (except for images) fail with no error. It seems to be something fundamental happening before it hits the play logs. Has anyone experienced this?

Matt Hall
  • 2,569
  • 2
  • 23
  • 33
  • I assume the issue is because the way heroku manages the routing. Create a support ticket, they are really quick answering and I'm really happy on how well they solve issues. – Pere Villega Dec 15 '11 at 10:57
  • Will do, I'll post back here with any resolution. – Matt Hall Dec 15 '11 at 12:32

3 Answers3

6

I don't think Play supports the way that requests are forwarded (proxied) on Heroku via the XForwardedSupport configuration parameter. That would need to be set to the address of the Heroku load balancer and there isn't a way to configure that pre-runtime. Instead, you should just look at the x-forwarded-proto request header to determine if the request to the Heorku load balancer was via http or https. Maybe something like:

    Boolean secure = false;
    if (request.headers.get("x-forwarded-proto") != null) {
      secure = request.headers.get("x-forwarded-proto").values.contains("https");
    }
    System.out.println("secure = " + secure);

BTW: Heroku's cedar stack doesn't use Nginx. It uses MochiWeb, an Erlang-based web server.

James Ward
  • 29,283
  • 9
  • 49
  • 85
  • This definitely seems to be the problem, as confirmed by a heroku support engineer. I'm worried that if play doesn't know the request is secure then it will do things like perform redirects back to non-ssl urls by default and stuff like that. Anyway, I'll give it a try and see what else goes wrong and report back. Thanks! – Matt Hall Dec 18 '11 at 04:32
  • 1
    So far so good on this solution! For certain annotated handlers I am forcing a redirect onto SSL so the action can never be viewed over regular http. If anyone's interested I'll post some code on how it's done, we find it really useful (more so now that this fix works for heroku). – Matt Hall Dec 19 '11 at 23:17
  • I've added some thoughts about making this more useful in the upstream Play code. I'd be interested to hear from more people in this ticket: [Play bug #1406](https://play.lighthouseapp.com/projects/57987/tickets/1406-play-123-124-playmvcrouter-does-not-fully-support-proxied-ssl#ticket-1406-4) – Dan Carley Feb 08 '12 at 12:01
3

thnx big time! you saved hours of struggling with heroku+play! I can confirm that when you set this in application.conf

XForwardedSupport=all

heroku stops complaining with SIGTERM

Yilmaz Guleryuz
  • 9,313
  • 3
  • 32
  • 43
2

As pointed by @Dan Carley ticket on https://play.lighthouseapp.com/projects/57987/tickets/1406-play-123-124-playmvcrouter-does-not-fully-support-proxied-ssl#ticket-1406-4

When hosting on Heroku, (as pointed by Mirko) setting XForwardedSupport=all in application.conf works.

Fabiano Soriani
  • 8,182
  • 9
  • 43
  • 59