Force ssl for logged in users in rails using nginx

Question

My stack looks like this nginx -> thin -> rails. In my rails app I have in my applicaton_controller.rb:

  if (!Rails.env.development?)
    before_filter :force_ssl
  end

  # Force logged in users to use SSL
  def force_ssl
    if current_user && request.protocol != "https://"
      redirect_to :protocol => "https://"
    end
  end

The problem is all requests seem like http since nginx handles the ssl and forwards to thin and causes an infinite redirect loop. What's the proper way to set up ssl for logged in users in this situation?

Answer 1

You can use the proxy_set_header directive to set a custom header telling your backend that the request came from the secure frontend.

Example:

for 80:
proxy_set_header           X-SSL     0;

for 443:
proxy_set_header           X-SSL     1;

Or globally

proxy_set_header X-Forwarded-Proto $scheme;

Answer 2

Why not just use https for all users?

Google, Github, and may others have starting doing it.

You can do this straight in your nginx config.

server {
  listen 80;

  location / {
    rewrite ^(.*) https://$host$1 permanent;
  }

This will redirect all port 80 traffic to https and port 443.

Then just declare your normal server for port 443.

server {
  listen 443;
  // whatever
}