I just installed an SSL certificate on my site. Unfortunately it has broken the login functionality. After submitting the login form on the site it just redirects to the home page. Checking the rails log shows this error:
(https://example.com) didn't match request.base_url (http://example.com)
Here is my virtualhosts file. I guess I need to force SSL somehow?
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /home/user/sharetribe/lib/certificates/www_example_com.crt
SSLCertificateKeyFile /home/user/sharetribe/lib/certificates/example.com.key
SSLCertificateChainFile /home/user/sharetribe/lib/certificates/www_example_com.ca-bundle
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
</VirtualHost>
Just run in to the same error. In config/environments/production.rb
make sure you have set:
config.force_ssl = true
While not strictly related to this issue, after setting this setting you will need to ensure that your reverse proxy (if you have one) is set up to forward the protocol used to rails by sending the X-Forwarded-Proto
header from the proxy to rails. The way this is done depends on which reverse proxy you use (Apache, nginx, etc) and how you have configured it so it's best you look up the specific documentation for the reverse proxy you are using.
As rails application server is running behind webserver which is SSL enabled. But the application server is not aware of it and continue with HTTP protocol. Due to which request.base_url
gives HTTP URL.
To let the application server know that SSL is enabled and used the https protocol, you need explicitly tell application server.
In the Nginx web server, I have used,
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
For Apache web server, need to find similar settings.
I think using config.force_ssl = true
can solve a problem but not properly since this config, change all HTTP request into HTTPS. Means if someone requests with HTTP it will redirect to HTTPS. config.force_ssl = true
will not work in case of API's were you were sending URLs to the client side.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With