Menu
Scenario
I am running Phusion Passenger through nginx.
I have configured nginx to use SSL and reroute all HTTP traffic to HTTPS.
Do I still need to enable the force_ssl option in my Rails app?
If so, why and what are the advantages?
If I don't enable it, what security risks do I present?
nginx config:
server {
listen 80;
server_name myapp.com
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name myapp.com;
ssl_certificate /etc/ssl/certs/nginx.pem;
ssl_certificate_key /etc/ssl/certs/nginx.key;
root /home/user/rails/app/public;
passenger_enabled on;
}
668
asked Nov 30 '25 21:11
The force_ssl option accomplishes the same thing as the nginx rewrite rule, so you don't need the force_ssl option. force_ssl can give you more granularity, such as making it easier to require SSL in certain subdomains or certain deployment environments. It could also be better if you are more comfortable doing this kind of configuration in Rails rather than in nginx. It will not give you any extra security, however.
161
answered Dec 02 '25 15:12
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With