rack-ssl-enforcer icon indicating copy to clipboard operation
rack-ssl-enforcer copied to clipboard
verified publisher icon tobmatth

use_redirect always forcing redirect, even for HTTPS

Open aripollak opened this issue 9 years ago • 2 comments

Currently, I have the following configuration:

use Rack::SslEnforcer, hsts: true, redirect_to: 'https://www.example.com'

I'm using redirect_to because the site is behind a reverse proxy that routes different paths to different hosts, so the Host header that gets passed to this particular server is something totally different and not user-friendly, like ec2-1234.aws.amazon.com. I really only want Rack::SslEnforcer to redirect if the protocol is http instead of https. But currently because of redirect_required?, this actually causes a redirect loop. Is this behavior intentional? It seems like it's beyond the scope of this gem to always canonicalize the hostname.

I can work around the problem like this: ignore: -> (request) { request.env['HTTP_X_FORWARDED_PROTO'] == 'https' }

aripollak avatar May 20 '16 20:05 aripollak

Hi,

seems like your reverse proxy does not set X-Forwarded* headers properly, maybe this helps:

https://github.com/tobmatth/rack-ssl-enforcer#nginx https://github.com/tobmatth/rack-ssl-enforcer/issues/82

tobmatth avatar May 23 '16 05:05 tobmatth

Which header in particular? It does seem to be setting those correctly, it just doesn't set Host to be the external-facing hostname.

aripollak avatar May 23 '16 11:05 aripollak