fastly-rails icon indicating copy to clipboard operation
fastly-rails copied to clipboard

Published 20 hours ago verified publisher icon fastly

Properly tell Rails that a request is (or is not) SSL

Open jjulian opened this issue 10 years ago • 1 comments

When hosting on Heroku, the Heroku router sets X-Forwarded-Proto to the protocol used by the immediate connection (from Fastly). If it's https, then Rails will never know if a browser connects insecurely. If it's http, then Rails will think every connection is insecure, even when the browser connection to fastly is over https.

This Rack middleware fixes that by setting the proper headers based on the Fastly-SSL header. The fixes are only applied if the connection appears to be from Fastly.

  • set HTTPS=on
  • set X-Forwarded-Proto=https
  • remove other ambiguous headers

jjulian avatar Dec 22 '14 19:12 jjulian

Note that this is totally optional behavior, only used if the user inserts the middleware into their Rails stack.

jjulian avatar Apr 02 '16 12:04 jjulian