search

keygen-sh / keygen-api

Keygen is a fair source software licensing and distribution API built with Ruby on Rails. For developers, by developers.
https://keygen.sh
Other
700 stars 40 forks source link

Add support for disabling force_ssl for SSL-terminating reverse proxies #794

Closed ezekg closed 4 months ago

ezekg commented 4 months ago

See: https://github.com/maybe-finance/maybe/issues/308. Campfire does the below in config/environments/production.rb, so we should follow suite:

# Always be SSL'ing (unless told not to)
config.assume_ssl = ENV["DISABLE_SSL"].blank?
config.force_ssl  = ENV["DISABLE_SSL"].blank?

Ref: https://github.com/keygen-sh/campfire/blob/f75357eca673fe6f0dce8d5ee98b5d891d330b86/config/environments/production.rb#L58-L60

ezekg commented 4 months ago

It's worth mentioning that any well-behaved reverse proxy should be setting the X-Forwarded-* headers. Namely, X-Forwarded-Proto, which Rails uses to determine if the request is coming from an TLS-terminating reverse proxy. If X-Forwarded-Proto: https, then Rails will NOT redirect the request, because it knows it's coming from a TLS-terminating reverse proxy. So the only case where config.force_ssl = false is actually needed is for misbehaving reverse proxies.

Not needed: https://github.com/maybe-finance/maybe/issues/308#issuecomment-1944936184.