Rails Ruby on Rails → 3.0.2

Comments and changes to this ticket

• 

  Andrew White August 19th, 2010 @ 03:09 PM

  • Milestone cleared.
  • State changed from “new” to “open”
  • Assigned user set to “Andrew White”
  • Importance changed from “” to “High”

  I've got a test but the scheme 'https' seems to be maintained, it's just adding an unnecessary 443 port number which I know where to fix. Can you confirm that this is the case for you?

• You flagged this item as spam.
  

  Thibaud Guillaume-Gentil August 19th, 2010 @ 03:16 PM

  In my case https is not maintained and replaced by http. I can retry after you have fixed the useless 443 port addition, if you want. Thanks

• 

  Andrew White August 19th, 2010 @ 03:27 PM

  How are you testing it?

• 

  Andrew White August 19th, 2010 @ 03:44 PM

  The attached patch fixes the port number issue. I can't see how the scheme wouldn't be maintained since the redirect code reads it from the current request.

  • 0001-secure-redirect-should-not-add-standard-port.diff 4.1 KB

• You flagged this item as spam.
  

  Thibaud Guillaume-Gentil August 19th, 2010 @ 03:49 PM

  I don't test it, it's how it "work" on my staging Heroku env. Maybe it's an issue related to Heroku nginx config with the 443 port. I'll try with your patch tomorrow.

• You flagged this item as spam.
  

  Thibaud Guillaume-Gentil August 20th, 2010 @ 08:56 AM

  With your patch the 443 port is properly removed but https is still replaced by http.
  I have apply your patch on edge rails (http://github.com/thibaudgg/rails/tree/routes_patched) and make a little app (deployed on Heroku with SSL add-on (heroku addons:add ssl:piggyback)) to show you the https problem.

  The little app: http://github.com/thibaudgg/https_app
  Heroku deploy: https://https-app.heroku.com (redirected to http://https-app.heroku.com/hello)

  Hope it'll help!

• 

  Andrew White August 20th, 2010 @ 10:20 AM

  Looks as though the problem is in Rack rather than Rails. Looking at the source code for the various handlers not all of them set the rack.url_scheme environment variable correctly. There's already a workaround for request.ssl? which will work here as heroku sets HTTP_X_FORWARDED_PROTO to https if the incoming request is ssl.

  The attached combined patch should fix it.

  • 0002-secure-redirect-should-not-add-standard-port.diff 5.1 KB

• You flagged this item as spam.
  

  Thibaud Guillaume-Gentil August 20th, 2010 @ 02:29 PM

  Great, our second patch fix the problem.

  https://https-app.heroku.com => https://https-app.heroku.com/hello

  Thanks a lot Andrew and have a nice week-end.

• 

  Repository August 20th, 2010 @ 02:41 PM

  • State changed from “open” to “resolved”

  (from [47280f083a06dfd034f2e1a2661adf02b0e3a064]) Don't add the standard https port when using redirect in routes.rb and ensure that request.scheme returns https when using a reverse proxy.

  [#5408 state:resolved]

  Signed-off-by: José Valim jose.valim@gmail.com
  http://github.com/rails/rails/commit/47280f083a06dfd034f2e1a2661adf...

• 

  Repository August 20th, 2010 @ 02:42 PM

  (from [0d0fbf1e648606c9499e332bad412da005a4e37f]) Don't add the standard https port when using redirect in routes.rb and ensure that request.scheme returns https when using a reverse proxy.

  [#5408 state:resolved]

  Signed-off-by: José Valim jose.valim@gmail.com
  http://github.com/rails/rails/commit/0d0fbf1e648606c9499e332bad412d...

• 

  Jeremy Kemper October 15th, 2010 @ 11:02 PM

  • Milestone set to “3.0.2”

  [bulk edit]

• You flagged this item as spam.
  

  blair.silverberg January 26th, 2011 @ 04:15 PM

  I am still encountering this problem on heroku. When navigating to https://secure.ignitiontutoring.com user is redirected to http://secure.ignitiontutoring.com.

• 

  Andrew White January 26th, 2011 @ 04:37 PM

  Blair, you'll need to give me more to work with than that - for example a dump of the request environment that your app receives, some relevant routes and whether you're using any plugins, gems or middleware that performs ssl redirects like ssl_requirement or rack-ssl-enforcer.

• You flagged this item as spam.
  

  mdrozdziel February 3rd, 2011 @ 05:15 AM

  Looks like I am getting this error too. I am using rack-ssl-enforcer with :strict => true. Every https:// request (which should be enforced to http://), and is beeing redirected inside the controller ends up beeing redirected to http://https://

• You flagged this item as spam.
  

  mdrozdziel February 4th, 2011 @ 11:24 AM

  I am very sorry, but this is probably not related to the previous bug. I read Blair's report, and immediately though that this is the case. I even created a demo app, but it turned out it works in on a clean up. I found that url_for help was returning http://https://.. paths. This is probably more related to translate_routes gem, than rack-ssl-enforcer.

  In case someone runs into this issue and ends up here from Google: I solved this for just by adding :path_only => true to the url_for helpers. Now everything is ok.