Merge pull request #241 from bruckwubete/master

fix force ssl logic for lb configuration

app/controllers/application_controller.rb

@@ -24,6 +24,9 @@ class ApplicationController < ActionController::Base
   before_action :migration_error?
   before_action :set_locale
 
+  # Force SSL for loadbalancer configurations.
+  before_filter :redirect_to_https
+
   protect_from_forgery with: :exception
 
   MEETING_NAME_LIMIT = 90
@@ -88,4 +91,8 @@ class ApplicationController < ActionController::Base
       moderator_message: "#{invite_msg}\n\n#{request.base_url + room_path(@room)}",
     }
   end
+
+  def redirect_to_https
+    redirect_to protocol: "https://" if loadbalanced_configuration? && request.headers["X-Forwarded-Proto"] == "http"
+  end
 end

config/environments/production.rb

@@ -44,9 +44,6 @@ Rails.application.configure do
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = (ENV["ENABLE_SSL"] == "true")
 
-  # Force SSL for loadbalancer configurations.
-  config.force_ssl = true if ENV["LOADBALANCER_ENDPOINT"].present? && ENV["LOADBALANCER_SECRET"].present?
-
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.
   config.log_level = :debug