Rails: activating SSL support gets Chrome confused

后端 未结 4 506
逝去的感伤
逝去的感伤 2021-01-12 09:09

There is a nice option to config for the Rails app:

config.force_ssl = true

However it seems that just putting that to true doesn\'t get the HTTPS connection

相关标签:
4条回答
  • 2021-01-12 09:19

    Open your Chrome Developer Tools when you're at localhost: Then you can right click the refresh button ↻ and select "Empty cache and hard reload".

    This error might also happens to you, if you start your server in the production environment, where HSTS is enabled.

    Chrome redirects you to https://localhost:3000/ and says "SSL connection error".

    0 讨论(0)
  • 2021-01-12 09:28

    I had the same issue. What I did is using an ssl enforcer gem which adds a middleware that handles ssl and redirects. It has a strict option which enforces the configured protocols.

    in your Gemfile add:

    gem 'rack-ssl-enforcer'
    

    in production.rb add:

    config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, strict: true
    

    This will force the requested pages to be secured and the rest to be non secured. It disables the HSTS header which is problematic in chrome (redirect caching issue).

    You can also expire the cache for all cleints (if it already exist) to make sure you'll not get infinite redirect:

    config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, :hsts => { :expires => 1, :subdomains => false }
    

    also remove the ssl enforcement in production.rb (otherwise it might conflict with this middleware):

    config.force_ssl = false
    
    0 讨论(0)
  • 2021-01-12 09:41

    First, I should say that I haven't tried this, but there are mainly two possibly reasons for Chrome still using HTTPS:

    • Using HTTP Strict Transport Security headers: if the server sets them, the client (supporting HSTS, like Chrome) is meant to stick to HTTPS for all subsequent requests to that host.

    • Permanent redirects. If the initial redirect you got was using "301 Moved Permanently" (and not 302 for example) to make the redirection,(*) the browser is meant to remember it ("The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs").

    A likely solution to this would be to clear the cache in your browser.

    (*) This question seems to indicate this is the case for Ruby on Rails with this config).

    0 讨论(0)
  • 2021-01-12 09:42

    Let's see what happened once you updated your config file with:

    config.force_ssl = true
    

    This has caused Rack SSL Middleware to be loaded as the first middleware. As you can see in the code, Rack SSL sets an HSTS header by adding this line to the headers :

    Strict-Transport-Security
    

    It tells supported browsers such as Chrome to use HTTPS only to access your website.

    So once you set back :

    config.force_ssl = false
    

    Chrome will still uses HTTPS to access your website and causes an error.

    To solve this problem, you need to empty the HSTS cache. You can to that by going to the following url in your chrome browser : chrome://net-internals/#hsts

    0 讨论(0)
提交回复
热议问题