11

I have a site hosted on Elastic Beanstalk built with Ruby on Rails. I set up Cloudflare to configure the DNS and provide a CDN. Cloudflare also provides an SSL.

I can't get the SSL working with my app.

With Cloudflare's SSL set at "Flexible" I can load my main page but when I try to log in, I get these errors (edited for brevity):

INFO -- :  Started POST "/users/sign_in" for xxx.xxx.146.132 at 2018-03-19 16:45:24 +0000
INFO -- :  Processing by Users::SessionsController#create as HTML
INFO -- :    Parameters: {"utf8"=>"✓", "authenticity_token"=>"f92CTIe5qlp7C624DZzZM2oWdFMcq6PhyfOJI16saV32yugMmJlenL/F3gTeBBsAjaAw92P1vncWBzI+JnK8wA==", "user"=>{"email"=>"test@test.com", "password"=>"[FILTERED]"}, "commit"=>"Log in"}
WARN -- :  HTTP Origin header (https://[MY_URL].com) didn't match request.base_url (http://[MY_URL].com)
INFO -- :  Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms)  
FATAL -- :  ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

If I set Cloudflare's SSL to "Full" I get a 502 error with a Cloudflare-generated page (see image).

enter image description here

I came across this site (http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf) which seems to have the exact same issue but setting to "full" didn't help me.

I've tried setting config.force_ssl = true in /config/environments/production.rb. That setting would not allow any access to the site. Just shows the same 502 error page from Cloudflare and nothing in my production or nginx logs.

I've tried messing around with custom nginx config's but haven't gotten anywhere. Here is my latest nginx confix attempt:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    server {
        listen       80 ;
        listen       [::]:80 ;
        server_name  localhost;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;


        location / {
          proxy_pass        http://localhost;
          proxy_set_header  Host $host;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_set_header  X-Forwarded-Ssl on; # Optional
          proxy_set_header  X-Forwarded-Port $server_port;
          proxy_set_header  X-Forwarded-Host $host;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

Can anyone help? I'm sure I'm missing something obvious here.

Gold Masta
  • 695
  • 1
  • 10
  • 22
  • Any comments would be helpful. I'm really stuck on this one. – Gold Masta Mar 23 '18 at 01:49
  • Looks like you are hitting a CORS issue. Since you've censured the error log to [my-url].com it's hard to know for sure. My guess is that you have some javascript that uses a different url, than what the cloudflare URL is. I.e. you have some javascript that uses the elasticbeanstalk url even when accessing the site via cloudflare.com – colde Mar 29 '18 at 23:16
  • You are getting `ActionController::InvalidAuthenticityToken` so first thing to investigate is: does the token change on each page load or does it stay the same? My wild guess is that Cloudflare is caching your login page and hence sending the same token each time, which is obviously invalid. Please check that and let me know! – Mike Szyndel Mar 31 '18 at 20:49
  • Also, setting `config.force_ssl = true` in your current setup is wrong. Let's fix the initial issue and then go on to establish a secure connection between AWS and Cloudflare – Mike Szyndel Mar 31 '18 at 20:50
  • What kind of Elastic Beanstalk environment are you using? A load-balanced one? In this case the load balancer is terminating SSL and talks to your virtual machines via "normal" `http`. – severin Apr 03 '18 at 21:06

1 Answers1

-2

502 Error: This error says that the Cloudfare server is unable to read the response your rails server sends, basically when you select the Full SSL the Cloudflare expects the response to be in SSL but here the rails app send a NON-SSL (HTTP) response which Cloudflare is unable to read.

I read the article you shared, looks like rails do not allow flexible SSL for security reasons.

Flexible SSL In flexible SSL you don't need to secure your rails app with SSL Certificate(HTTPS) but your visitors still see the site as being HTTPS enabled.

enter image description here

Flexible SSL: secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.

Full SSL
As mentioned in the article if you enable Full SSL, then you need to configure rails config.force_ssl = true to use a Self-signed SSL certificate or you can get a certificate from letsencrypt for free, once you did that you need change your Nginx to run on HTTPS port 443. This should fix the 502 error.

Here is a tutorial on Using HTTPs with Ruby on Rails

enter image description here

Full SSL: secure connection between your visitor and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least.

Image Source

Sudharsan Sivasankaran
  • 5,603
  • 23
  • 19