Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails: activating SSL support gets Chrome confused

Tags:

https

ssl

ruby-on-rails

There is a nice option to config for the Rails app:

config.force_ssl = true

However it seems that just putting that to true doesn't get the HTTPS connections working. Even more - after trying (and failing) to connect to https://localhost:3000 with Chrome, I've set this option to false, and Chrome still tries to open https, even if I write http.

So, couple of questions:

--How to force Chrome not to try https anymore? --What is the proper way of enabling SSL on my Rails app?

Update: The app is run on Heroku, and it seems that https is supported there automagically. Can I test SSL also locally? Like when running rails server?

like image 523
Alexander Savin Avatar asked May 04 '12 07:05

Alexander Savin

2 Answers

First, I should say that I haven't tried this, but there are mainly two possibly reasons for Chrome still using HTTPS:

  • Using HTTP Strict Transport Security headers: if the server sets them, the client (supporting HSTS, like Chrome) is meant to stick to HTTPS for all subsequent requests to that host.

  • Permanent redirects. If the initial redirect you got was using "301 Moved Permanently" (and not 302 for example) to make the redirection,(*) the browser is meant to remember it ("The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs").

A likely solution to this would be to clear the cache in your browser.

(*) This question seems to indicate this is the case for Ruby on Rails with this config).

like image 129
Bruno Avatar answered Sep 28 '22 01:09

Bruno

I had the same issue. What I did is using an ssl enforcer gem which adds a middleware that handles ssl and redirects. It has a strict option which enforces the configured protocols.

in your Gemfile add:

gem 'rack-ssl-enforcer'

in production.rb add:

config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, strict: true

This will force the requested pages to be secured and the rest to be non secured. It disables the HSTS header which is problematic in chrome (redirect caching issue).

You can also expire the cache for all cleints (if it already exist) to make sure you'll not get infinite redirect:

config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, :hsts => { :expires => 1, :subdomains => false }

also remove the ssl enforcement in production.rb (otherwise it might conflict with this middleware):

config.force_ssl = false
like image 37
ramigg Avatar answered Sep 28 '22 01:09

ramigg
Sign in to Comment

Related questions

Running phantomjs from a Ruby on Rails application
How do you test the params hash in a Rails test?
Rails 3 ActiveRecord .skip_callback thread safety
Ruby on Rails: ssl_required: how do I enable on the entire app?
Sass: Dealing with the IE 4095 selectors per stylesheet restriction
How to "transform" an array in a sentence?
testing using Resque with Rspec examples?
Devise routing error on Forgot password
Can't test render functionality for helper methods in Rspec
Rails content_for overwrites rather than appends
Rails: group by day and one other column
Heroku conflict between gzipping assets and precompiling assets
Docsplit Ruby on Rails
Getting Devise authentication to send the email for password retrieval
Backbone.js + KendoUI - Routing, Views, and Structuring with Grid
SendGrid on Heroku fails
Request completion time greater than sum of ActiveRecord and View times
Unicorn not reloading with USR2
Communication between Rails apps
How do I pass a Ruby array to Javascript to make a line graph

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!