使用Rails config.force_ssl在远程SSL代理后面进行无限重定向
[英]Infinite redirects with Rails config.force_ssl behind a remote SSL proxy
问题描述
I am running a Rails 5.2 app on an Ubuntu VM provided by my organisation. 
我在组织提供的Ubuntu VM上运行Rails 5.2应用程序。 It's served by Nginx (1.14.0) and Passenger (6.0.1). 它由Nginx(1.14.0)和Passenger(6.0.1)提供。
SSL is provided by the organisation through a load balancer. SSL由组织通过负载平衡器提供。 My app is hosted on myapp1 on the internal network and the organisation provides a public-facing myapp.org.com, which provides SSL to the end user and proxies traffic via HTTP over the internal network to myapp1. 我的应用程序托管在内部网络的myapp1上,并且该组织提供了一个面向公众的myapp.org.com,该应用程序向最终用户提供SSL,并通过HTTP通过内部网络将流量代理到myapp1。 I have no control over the load balancer at myapp.org.com. 我无法控制myapp.org.com上的负载平衡器。
The app is also served at the /project subdirectory. 该应用程序也可以在/ project子目录中找到。 When I access https://myapp.org.com/ , I get a 403 from my Nginx server, as expected (for now). 当我访问https://myapp.org.com/时 ,按预期(现在)从Nginx服务器收到403。 When I access https://myapp.org.com/projects , I get an infinite 301 redirect loop (redirecting to the same URL...). 当我访问https://myapp.org.com/projects时 ,我得到一个无限的301重定向循环(重定向到相同的URL ...)。
My Nginx config looks like this: 我的Nginx配置看起来像这样:
server {
listen 80;
server_name myapp myapp.org.com myapp.organisation.com;
add_header X-Forwarded-Proto https;
root /var/www;
location ~ ^/project(/.*|$) {
# Tell Nginx and Passenger where your app's 'public' directory is
alias /var/www/project-production/current/public/$1;
# Turn on Passenger
passenger_ruby /usr/share/rvm/gems/ruby-2.5.3@project-production/wrappers/ruby;
passenger_base_uri /project;
passenger_app_root /var/www/project-production/current;
passenger_document_root /var/www/project-production/current/public;
rails_env production;
passenger_enabled on;
}
}
And config/environments/production.rb contains config.force_ssl = true . config/environments/production.rb包含config.force_ssl = true 。
In trying to solve this, I also tried using proxy_set_header X-Forwarded-Proto https; 为了解决这个问题,我还尝试使用proxy_set_header X-Forwarded-Proto https; and no X-Forwarded-Proto header at all. 而且根本没有X-Forwarded-Proto标头。
If I set config.force_ssl = false , it redirects to http and the organisation's SSO refuses to serve the app. 如果我设置config.force_ssl = false ,它将重定向到http,并且组织的SSO拒绝为该应用提供服务。
All of the related posts I can find on SO and around the web talk about using Nginx as a proxy to a local Rails server (like Unicorn or Passenger standalone), but this problem seems to be distinct in that Nginx is serving http requests to a remote SSL-enabled proxy. 我可以在SO和网络上找到的所有相关文章都谈到使用Nginx作为本地Rails服务器的代理(例如Unicorn或Passenger独立),但是这个问题似乎很明显,因为Nginx正在将http请求提供给启用了SSL的远程代理。
1 个解决方案
解决方案1
1 已采纳 2019-03-07 10:55:17
Your organizations's load balancer must pass X-Forwarded-Proto to your nginx instance. 您组织的负载平衡器必须将X-Forwarded-Proto传递给您的nginx实例。 Your application cannot detect its being browsed by a ssl-terminated load balancer. 您的应用程序无法检测到由ssl终止的负载均衡器正在浏览它。 If it doesn't work, you may need to whitelist load balancer's ip inside your application. 如果它不起作用,则可能需要在应用程序内部将负载均衡器的IP列入白名单。 (i don't know how, i don't code ruby) (我不知道如何,我不编码红宝石)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.