[英]Elastic Load Balancer on port 443 works for forced SSL Ruby On Rails application, but why?
My ruby on Rails application is configured with the following: 我的ruby on Rails应用程序配置了以下内容:
config.force_ssl = true
And I set up the following elastic load balancer: 我设置了以下弹性负载均衡器:
With this configuration everything works, but I do not understand why? 使用此配置,一切正常,但我不明白为什么? with the code above, my application instance will return a 301 redirect in response to HTTP request. 使用上面的代码,我的应用程序实例将返回301重定向以响应HTTP请求。 When the HTTP request is handled by the load balancer, it is forwarded on to to the instance as a HTTP request. 负载平衡器处理HTTP请求后,会将其作为HTTP请求转发到实例。 Shouldn't this result in another 301, and therefore an endless loop? 这不应该导致另一个301,从而导致无限循环吗?
EDIT I thought a bit about my answer and decided to get in to some more detail with it. 编辑我对自己的答案有所考虑,因此决定对其进行更详细的介绍。
Network communication is usually composed of several layers, among which are the physical layer , which is the cable/radio channel where information travels through, the transport layer which is often TCP/IP, the protocol layer which in our case is usually HTTP or HTTPS and finally the application layer which is what our rails app handles. 网络通信通常由几层组成,其中包括物理层 (即信息经过的电缆/无线电信道), 传输层 (通常为TCP / IP), 协议层 (在我们的情况下通常为HTTP或HTTPS)最后是我们的Rails应用程序处理的应用程序层 。
Rails usually never gets in touch with the actual HTTPS data stream, as this is handled by your webserver. Rails通常永远不会与实际的HTTPS数据流联系,因为这是由Web服务器处理的。 So how does force_ssl work at all? 那么,force_ssl到底如何工作?
The protocol layer is handled by the webserver (nginx, mongrel...) and this is who could care first about forcing ssl. 协议层由Web服务器(nginx,mongrel ...)处理,这是谁首先要关心强制ssl。 When the webserver hands over a request to the application layer (hence, the rails app), it also provides a lot of meta data, which includes requester IP, request path, request format, a lot of header variables and also information about the used protocol. 当网络服务器将请求移交给应用程序层(因此是Rails应用程序)时,它还会提供大量元数据,其中包括请求者IP,请求路径,请求格式,许多标头变量以及有关已使用信息的信息。协议。
When a request arrives at your webserver on port 443 (and uses HTTPS protocol), the webserver sets the header flag SERVER_PROTOCOL
to https
. 当请求通过端口443到达您的Web服务器(并使用HTTPS协议)时,Web服务器SERVER_PROTOCOL
标头标志SERVER_PROTOCOL
为https
。
If a proxy server (like load balancer is) receives a request on 443 and forwards it to 80, it adds the X-FORWARDED-PROTO=https
header to the request, which is made available for your rails app by the webserver. 如果代理服务器(例如负载平衡器)在443上收到请求并将其转发到80,它将向请求添加X-FORWARDED-PROTO=https
标头,网络服务器可将其用于您的rails应用程序。
Now, long story short: config.force_ssl
requires SERVER_PROTOCOL
OR X-FORWARDED-PROTO
to denote https
. 现在,长话短说: config.force_ssl
需要SERVER_PROTOCOL
或 X-FORWARDED-PROTO
config.force_ssl
X-FORWARDED-PROTO
来表示https
。
ORIGINAL ANSWER The rails force_ssl method does not really force a request to arrive on port 443 on your server, it is satisfied when the original (client) request was sent over ssl through the internet. 原始答案 rails force_ssl方法并没有真正强制请求到达服务器上的端口443,当原始(客户端)请求通过ssl通过ssl发送时,它就可以满足。 The load balancer (as a proxy) sets the header X-FORWARDED-PROTO to "https". 负载平衡器(作为代理)将标头X-FORWARDED-PROTO设置为“ https”。 rails trusts that information and that is why this is working. rails信任该信息,这就是为什么它起作用的原因。
More info on that can be found in the elastic load balancer docs: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-for 有关更多信息,请参见弹性负载平衡器文档: http : //docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-for
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.