3

I'm trying to get HTTPS to work for my site, but I'm getting ActionController::InvalidAuthenticityToken for all post requests. I logged the form_authenticity_param and form_authenticity_tokenand they are in fact different.

The SSL is resolved at the Elastic Load Balancer and a non-SSL request is sent to the web app. The expected CSRF token is stored in the cookie-based session, so the sessions for HTTP and HTTPS appear to expect different tokens. When using HTTP on the site, the post/put requests work fine.

I've been stuck on this problem for a bit. Any advice would be helpful

oniiko
  • 41
  • 6

1 Answers1

5

I have the same problem, but it's not rails.

I fixed the problem by add proxy_set_header X-Forwarded-Proto https; in my nginx.config

  location @videos {
    proxy_pass http://videos;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }
jadeydi
  • 99
  • 1
  • 4
  • I ran into a similar issue interestingly enough after Rails 5.2 upgrade for whatever reason. Adding the above resolved the issue – beaorn Jul 21 '18 at 00:15
  • 1
    @beaorn It may be related that with Rails 5.1 the option `action_controller.forgery_protection_origin_check` is enabled by default. – nlsrchtr Sep 25 '18 at 22:52