Rails: activating SSL support gets Chrome confused

Question

There is a nice option to config for the Rails app:

config.force_ssl = true

However it seems that just putting that to true doesn\'t get the HTTPS connection

Answer 1

I had the same issue. What I did is using an ssl enforcer gem which adds a middleware that handles ssl and redirects. It has a strict option which enforces the configured protocols.

in your Gemfile add:

gem 'rack-ssl-enforcer'

in production.rb add:

config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, strict: true

This will force the requested pages to be secured and the rest to be non secured. It disables the HSTS header which is problematic in chrome (redirect caching issue).

You can also expire the cache for all cleints (if it already exist) to make sure you'll not get infinite redirect:

config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, :hsts => { :expires => 1, :subdomains => false }

also remove the ssl enforcement in production.rb (otherwise it might conflict with this middleware):

config.force_ssl = false