Closed ezekg closed 4 months ago
It's worth mentioning that any well-behaved reverse proxy should be setting the
X-Forwarded-*
headers. Namely,X-Forwarded-Proto
, which Rails uses to determine if the request is coming from an TLS-terminating reverse proxy. IfX-Forwarded-Proto: https
, then Rails will NOT redirect the request, because it knows it's coming from a TLS-terminating reverse proxy. So the only case whereconfig.force_ssl = false
is actually needed is for misbehaving reverse proxies.
Not needed: https://github.com/maybe-finance/maybe/issues/308#issuecomment-1944936184.
See: https://github.com/maybe-finance/maybe/issues/308. Campfire does the below in
config/environments/production.rb
, so we should follow suite:Ref: https://github.com/keygen-sh/campfire/blob/f75357eca673fe6f0dce8d5ee98b5d891d330b86/config/environments/production.rb#L58-L60