[英]Infinite redirects with Rails config.force_ssl behind a remote SSL proxy
I am running a Rails 5.2 app on an Ubuntu VM provided by my organisation. 我在组织提供的Ubuntu VM上运行Rails 5.2应用程序。 It's served by Nginx (1.14.0) and Passenger (6.0.1).
它由Nginx(1.14.0)和Passenger(6.0.1)提供。
SSL is provided by the organisation through a load balancer. SSL由组织通过负载平衡器提供。 My app is hosted on myapp1 on the internal network and the organisation provides a public-facing myapp.org.com, which provides SSL to the end user and proxies traffic via HTTP over the internal network to myapp1.
我的应用程序托管在内部网络的myapp1上,并且该组织提供了一个面向公众的myapp.org.com,该应用程序向最终用户提供SSL,并通过HTTP通过内部网络将流量代理到myapp1。 I have no control over the load balancer at myapp.org.com.
我无法控制myapp.org.com上的负载平衡器。
The app is also served at the /project subdirectory. 该应用程序也可以在/ project子目录中找到。 When I access https://myapp.org.com/ , I get a 403 from my Nginx server, as expected (for now).
当我访问https://myapp.org.com/时 ,按预期(现在)从Nginx服务器收到403。 When I access https://myapp.org.com/projects , I get an infinite 301 redirect loop (redirecting to the same URL...).
当我访问https://myapp.org.com/projects时 ,我得到一个无限的301重定向循环(重定向到相同的URL ...)。
My Nginx config looks like this: 我的Nginx配置看起来像这样:
server {
listen 80;
server_name myapp myapp.org.com myapp.organisation.com;
add_header X-Forwarded-Proto https;
root /var/www;
location ~ ^/project(/.*|$) {
# Tell Nginx and Passenger where your app's 'public' directory is
alias /var/www/project-production/current/public/$1;
# Turn on Passenger
passenger_ruby /usr/share/rvm/gems/ruby-2.5.3@project-production/wrappers/ruby;
passenger_base_uri /project;
passenger_app_root /var/www/project-production/current;
passenger_document_root /var/www/project-production/current/public;
rails_env production;
passenger_enabled on;
}
}
And config/environments/production.rb
contains config.force_ssl = true
. config/environments/production.rb
包含config.force_ssl = true
。
In trying to solve this, I also tried using proxy_set_header X-Forwarded-Proto https;
为了解决这个问题,我还尝试使用
proxy_set_header X-Forwarded-Proto https;
and no X-Forwarded-Proto
header at all. 而且根本没有
X-Forwarded-Proto
标头。
If I set config.force_ssl = false
, it redirects to http and the organisation's SSO refuses to serve the app. 如果我设置
config.force_ssl = false
,它将重定向到http,并且组织的SSO拒绝为该应用提供服务。
All of the related posts I can find on SO and around the web talk about using Nginx as a proxy to a local Rails server (like Unicorn or Passenger standalone), but this problem seems to be distinct in that Nginx is serving http requests to a remote SSL-enabled proxy. 我可以在SO和网络上找到的所有相关文章都谈到使用Nginx作为本地Rails服务器的代理(例如Unicorn或Passenger独立),但是这个问题似乎很明显,因为Nginx正在将http请求提供给启用了SSL的远程代理。
Your organizations's load balancer must pass X-Forwarded-Proto to your nginx instance. 您组织的负载平衡器必须将X-Forwarded-Proto传递给您的nginx实例。 Your application cannot detect its being browsed by a ssl-terminated load balancer.
您的应用程序无法检测到由ssl终止的负载均衡器正在浏览它。 If it doesn't work, you may need to whitelist load balancer's ip inside your application.
如果它不起作用,则可能需要在应用程序内部将负载均衡器的IP列入白名单。 (i don't know how, i don't code ruby)
(我不知道如何,我不编码红宝石)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.