Menu
I have a rails app that I had built on Heroku and I had configured it to use SSL there. Now I'm moving to AWS EC2 and I want to get a version of my app working without SSL. Once that is done I will add the SSL functionality later.
My stack is Puma + Nginx + PostgreSQL and I'm working with Rails 4.2.4, Ruby 2.2.3 and Capistrano 3.4.0.
I remember in my app that I had once inserted the line
config.force_ssl = true
in config/environments/production.rb. I commented this out expecting my app to go back to working well with http. But it didn't: even after commenting that line, whenever I visit my EC2 public IP (52.35.82.113) the request gets sent on port 80 (http) and gets redirected to port 443 (https).
This can be seen more clearly when I run curl -v http://localhost on my EC2 instance it returns:
* Rebuilt URL to: http://localhost/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Sat, 12 Dec 2015 12:22:56 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://localhost/
<
* Connection #0 to host localhost left intact
I'm not very experienced when it comes to this stuff. I thought initially the problem would be with my Nginx configuration, in my previous question here it was suggested to me that there was nothing wrong with my Nginx config and that the redirect was coming from Rails. I suspect this is the case since I can't see anything in Nginx that could be enforcing the redirect, but if you think the issue might be there then you can see a lot of the relevant code in the link above.
What else in Rails apart from the force_ssl printed above could be causing the redirect?
Thanks for your help everyone. Let me know if you have any questions or need more info!
958
HSTS is a security feature that forces the browser to use HTTPS even when accessing an HTTP URL. The browser will start using HSTS for a domain after receiving a Strict-Transport-Security header from the server. The browser also ships with a list of domains for which HSTS is enabled by default.
Solution is simple, just go to chrome://net-internals/#hsts -> Delete domain security policies (at very bottom of page) -> input the domain example.co.id here as example -> press delete. Then go to that link again local.example.co.id . BUT, still if you were redirected to https. It's about cache in chrome.
I had the same problem. Solution for me was:
80
This gist suggests it might be because of an HSTS header:
So if you enabled force_ssl once, even [if] you change the config value to false later, the browser you used to open you[r] app before will still remember this website (using domain to identify) [and] require [you] to use HTTPS, and redirect you to HTTPS connection automatically.
According to this page you can remove your HSTS entries by going to chrome://net-internals/#hsts in Chrome and about:permissions in Firefox and deleting ~/Library/Cookies/HSTS.plist in Safari.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
