0

This thread makes a good start, but I still have questions. What does force_ssl do in Rails?

All of this is in reference to what happens when you set config.force_ssl = true in your production.rb file.

It makes sense to make your SSL-endpoint your server (say nginx). From that standpoint, I get that nginx will need access to the SSL certificate's private key in order to be able to decrypt the encrypted SSL traffic. This is my very rough understanding.

From there, the server can send that information to the Rails app (through, say puma server), via http and then the Rails app will work on the unencrypted request, create the necessary content to send back, and then send it back up the chain where it will be re-encrypted by the server (nginx) and sent back to the user.

That's my loose understanding.

  • IF this is [generally] how it works, then how does Rails know when to force a redirect to https if its getting the request as http?
  • IF this is NOT [generally] how it works, and Rails is actually decrypting the payload, then how can it do that without the private key for the SSL cert?
chico512
  • 1
  • Its done on the web or rails server layer (nginx, apache, puma etc). Rails assumes that a request is over SSL by checking `Rack::Request#ssl?` which just checks if the protocol is https. – max Jan 16 '20 at 20:45
  • So, @max, are you saying that `Rack::Request#ssl` knows that the original request to [in this example] nginx was `https`, even though the request that comes to the Rails app is over `http`? – chico512 Jan 17 '20 at 17:29
  • https://www.rubydoc.info/gems/rack/Rack/Request/Helpers#ssl%3F-instance_method – max Jan 17 '20 at 17:30
  • And check https://www.rubydoc.info/gems/rack/Rack/Request/Helpers#scheme-instance_method for the heuristics. – max Jan 17 '20 at 17:32

0 Answers0