Infinite redirects behind AWS ELB

[gnitnuj]

Pretty sure I have NGINX config correct.

Started with config.middleware.use Rack::SslEnforcer, :except_environments => 'development', :except => [/.*\/demo$/, /.*\/preview$/, /.*\/debug$/], :force_secure_cookies => false, :strict => true, and wasn't hitting AWS ELB.

So I decided to take baby steps instead...

Switched over to config.middleware.use Rack::SslEnforcer, :redirect_to => "http(s)://project_url" as proposed by the behind a proxy section, and found out that ELB wasn't able to pass health checks because they are always done via http.

So I added :except_agents => 'ELB-HealthChecker/1.0' in order to exempt the ELB health checks, and am now getting redirects again.

I'm going to resume solving this tomorrow with fresh idea, but any help would be appreciated!

[tobmatth]

I am not familiar with AWS ELB, but setting [1] X-Forwarded-Proto as described in [2] might help...

[1] https://github.com/tobmatth/rack-ssl-enforcer#nginx
[2] http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html

[gnitnuj]

@tobmatth, I'll give that a try later today and keep this thread updated!

[gnitnuj]

For all those behind AWS ELB, this what what did it for us.

config.middleware.use Rack::SslEnforcer,
                          # this ignores elb healthchecks and development env
                          # elb healthchecks aren't forwarded requests, so it wouldn't have forwarded proto
                          # same goes when running without a proxy (like dev locally)
                          ignore: lambda { |request| request.env["HTTP_X_FORWARDED_PROTO"].blank? },
                          strict: true

[tobmatth]

Glad you figured it out. Just merged your PR, thanks!

[gnitnuj]

No problem! I'm hoping it'll at the very least point people in the right direction. And for those behind Amazon ELB specifically, they'll be able to copy and paste and be on their way! :)