stackoom
  简体   繁体   中英

How to get SSL working with Rails, AWS Elastic Beanstalk and Cloudflare

 原文  2018-03-19 19:00:39       ruby-on-rails/ amazon-web-services/ ssl/ nginx

Question

I have a site hosted on Elastic Beanstalk built with Ruby on Rails. I set up Cloudflare to configure the DNS and provide a CDN. Cloudflare also provides an SSL.

I can't get the SSL working with my app.

With Cloudflare's SSL set at "Flexible" I can load my main page but when I try to log in, I get these errors (edited for brevity): 

INFO -- :  Started POST "/users/sign_in" for xxx.xxx.146.132 at 2018-03-19 16:45:24 +0000
INFO -- :  Processing by Users::SessionsController#create as HTML
INFO -- :    Parameters: {"utf8"=>"✓", "authenticity_token"=>"f92CTIe5qlp7C624DZzZM2oWdFMcq6PhyfOJI16saV32yugMmJlenL/F3gTeBBsAjaAw92P1vncWBzI+JnK8wA==", "user"=>{"email"=>"test@test.com", "password"=>"[FILTERED]"}, "commit"=>"Log in"}
WARN -- :  HTTP Origin header (https://[MY_URL].com) didn't match request.base_url (http://[MY_URL].com)
INFO -- :  Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms)  
FATAL -- :  ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

If I set Cloudflare's SSL to "Full" I get a 502 error with a Cloudflare-generated page (see image).

在此输入图像描述

I came across this site ( http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf ) which seems to have the exact same issue but setting to "full" didn't help me.

I've tried setting config.force_ssl = true in /config/environments/production.rb. That setting would not allow any access to the site. Just shows the same 502 error page from Cloudflare and nothing in my production or nginx logs.

I've tried messing around with custom nginx config's but haven't gotten anywhere. Here is my latest nginx confix attempt: 

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    server {
        listen       80 ;
        listen       [::]:80 ;
        server_name  localhost;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;


        location / {
          proxy_pass        http://localhost;
          proxy_set_header  Host $host;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_set_header  X-Forwarded-Ssl on; # Optional
          proxy_set_header  X-Forwarded-Port $server_port;
          proxy_set_header  X-Forwarded-Host $host;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

Can anyone help? I'm sure I'm missing something obvious here.

1 answers

solution1
 -2  2018-03-29 16:42:44

502 Error : This error says that the Cloudfare server is unable to read the response your rails server sends, basically when you select the Full SSL the Cloudflare expects the response to be in SSL but here the rails app send a NON-SSL (HTTP) response which Cloudflare is unable to read.

I read the article you shared, looks like rails do not allow flexible SSL for security reasons.

Flexible SSL In flexible SSL you don't need to secure your rails app with SSL Certificate(HTTPS) but your visitors still see the site as being HTTPS enabled.

在此输入图像描述

Flexible SSL : secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.

Full SSL
As mentioned in the article if you enable Full SSL , then you need to configure rails config.force_ssl = true to use a Self-signed SSL certificate or you can get a certificate from letsencrypt for free, once you did that you need change your Nginx to run on HTTPS port 443. This should fix the 502 error.

Here is a tutorial on Using HTTPs with Ruby on Rails

在此输入图像描述

Full SSL : secure connection between your visitor and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least.

Image Source

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Deploying Rails on AWS elastic beanstalk - Static Asset routing not working AWS Elastic Beanstalk Load Balancer settings for SSL How do I seed a database for Rails app on AWS Elastic Beanstalk How can I run Rails background jobs on AWS Elastic Beanstalk? Rails 5 and AWS Elastic Beanstalk wrong database host Rails - Elastic Beanstalk AWS - sessions not maintained Rails app not loading assets on elastic beanstalk aws AWS Elastic Beanstalk Rails app autoscaling issues Configuring HTTPS on AWS Elastic Beanstalk / Rails Deploying a Rails / Ember app on AWS Elastic Beanstalk
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM