堆栈内存溢出
  简体   繁体   English

是否需要force_ssl? 还是应该在负载均衡器处终止SSL?

[英]Is it necessary to force_ssl? Or should the SSL terminate at the load balancer?

 原文  2015-06-03 03:35:43       ruby-on-rails/ ruby-on-rails-4/ ssl/ amazon-web-services/ load-balancing

问题描述

On AWS OpsWorks. 在AWS OpsWorks上。 I'm using an ELB, which has my CA's SSL certificate. 我正在使用ELB,它具有我的CA的SSL证书。

The first point of access is always the load balancer (ELB). 访问的第一点始终是负载平衡器(ELB)。 The ELB directs traffic to the instances. ELB将流量定向到实例。 The instances each have a copy of the Rails app, Unicorn, etc. 每个实例都有一个Rails应用程序,Unicorn等的副本。

One thing to note. 要注意的一件事。 The instances behind the ELB cannot be accessed directly. ELB后面的实例无法直接访问。

At this point, do I need to force_ssl in Rails? 此时,我需要在Rails中使用force_ssl吗? I hear it's common enough to terminate SSL at the border (ELB). 我听说在边界(ELB)终止SSL很常见。

As far as I've read, force_ssl gives the following: 据我所读, force_ssl给出以下内容:

  1. Automatic redirect traffic from http to https. 自动将流量从http重定向到https。
  2. Flagging cookies as secure and some added protection (ie against MITM attacks). 将cookie标记为安全的,并增加了一些保护(例如,抵御MITM攻击)。

http://api.rubyonrails.org/classes/ActionController/ForceSSL/ClassMethods.html only indicates http to https redirection. http://api.rubyonrails.org/classes/ActionController/ForceSSL/ClassMethods.html仅指示将HTTP重定向到https。

What does force_ssl do in Rails? force_ssl在Rails中做什么? second answer suggests that force_ssl does more than redirection. 第二个答案表明force_ssl不只是重定向。

If I decide not to use force_ssl , I can manage redirects by writing Nginx definitions. 如果我决定不使用force_ssl ,则可以通过编写Nginx定义来管理重定向。

Given the scenario, it feel like forcing SSL via Rails is obsolete, since the SSL negotiation is already happening in the ELB. 在这种情况下,由于在ELB中已经在进行SSL协商,因此感觉像通过Rails强制使用SSL已经过时了。 Is it still necessary to force_ssl ? 仍然需要force_ssl吗? Are there any added benefits? 还有其他好处吗?

1 个解决方案

解决方案1
 0 已采纳  2015-06-03 05:21:43

if you're terminating SSL at the ELB level you don't want it. 如果要在ELB级别终止SSL,则不需要它。 (you want to take http traffic and not be redirected). (您要获取http流量,而不要重定向)。

bear in mind that in this case the traffic between the ELB and your backend instances will be over HTTP (ie not encrypted). 请记住,在这种情况下,ELB和您的后端实例之间的流量将通过HTTP(即未加密)进行。 this is fine for most cases. 在大多数情况下都可以。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Rails 4 force_ssl问题? - Rails 4 force_ssl issue? 如何将force_ssl与302一起使用 - How to use force_ssl with a 302 在force_ssl之前重定向到'www' - redirect to 'www' before force_ssl 如何在葡萄中使用force_ssl? - How to use force_ssl with grape? ApplicationController中的Force_ssl,限制除 - Force_ssl in ApplicationController, restrict all except for Rails _url帮助器和force_ssl - Rails _url helper and force_ssl 在Rails 5中为特定的控制器禁用force_ssl - Disable force_ssl for specific controllers in Rails 5 force_ssl 在 Rails 中有什么作用? - What does force_ssl do in Rails? 为什么SSL重定向不能与force_ssl和Nginx一起使用? - Why is SSL redirect not working with force_ssl and Nginx? 虽然nginx处理重定向,但我应该启用Rails force_ssl吗? - Should I enable Rails force_ssl although nginx handles redirects?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM