Firefox and Chrome keeps forcing HTTPS on Rails app using nginx/Passenger
Posted
by
Steve
on Server Fault
See other posts from Server Fault
or by Steve
Published on 2012-01-01T19:06:41Z
Indexed on
2012/12/01
5:06 UTC
Read the original article
Hit count: 525
I've got a really weird problem here where every time I try to browse my Rails app in non-SSL mode Chrome (v16) and Firefox (v7) keeps forcing my website to be served in HTTPS.
My Rails application is deployed on a Ubuntu VPS using Capistrano, nginx, Passenger and a wildcard SSL certificate.
I have set these parameters for port 80 in the nginx.conf:
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO http;
passenger_set_cgi_param HTTPS off;
The long version of my nginx.conf can be found here: https://gist.github.com/2eab42666c609b015bff
The ssl-redirect.include file contains:
rewrite ^/sign_up https://$host$request_uri? permanent ;
rewrite ^/login https://$host$request_uri? permanent ;
rewrite ^/settings/password https://$host$request_uri? permanent ;
It is to make sure those three pages use HTTPS when coming from non-SSL request.
My production.rb file contains this line:
# Enable HTTP and HTTPS in parallel
config.middleware.insert_before Rack::Lock, Rack::SSL, :exclude => proc { |env| env['HTTPS'] != 'on' }
I have tried redirecting to HTTP via nginx rewrites, Ruby on Rails redirects and also used Rails view url using HTTP protocol.
My application.rb file contains this methods used in a before_filter hook:
def force_http
if Rails.env.production?
if request.ssl?
redirect_to :protocol => 'http', :status => :moved_permanently
end
end
end
Every time I try to redirect to HTTP non-SSL the browser attempts to redirect it back to HTTPS causing an infinite redirect loop. Safari, however, works just fine. Even when I've disabled serving SSL in nginx the browsers still try to connect to the site using HTTPS. I should also mention that when I pushed my app on to Heroku, the Rails redirect work just fine for all browsers.
The reason why I want to use non-SSL is that my homepage contains non-secure dynamic embedded objects and a non-secure CDN and I want to prevent security warnings.
I don't know what is causing the browser to keep forcing HTTPS requests.
© Server Fault or respective owner