Merge pull request #241 from bruckwubete/master

fix force ssl logic for lb configuration
2018-08-15 12:08:10 -04:00 · 2018-08-15 12:08:10 -04:00 · 0d1df083d9
parent f0610f363d 0d252add03
commit 0d1df083d9
2 changed files with 7 additions and 3 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -24,6 +24,9 @@ class ApplicationController < ActionController::Base
  before_action :migration_error?
  before_action :set_locale

+  # Force SSL for loadbalancer configurations.
+  before_filter :redirect_to_https
+
  protect_from_forgery with: :exception

  MEETING_NAME_LIMIT = 90
@ -88,4 +91,8 @@ class ApplicationController < ActionController::Base
      moderator_message: "#{invite_msg}\n\n#{request.base_url + room_path(@room)}",
    }
  end
+
+  def redirect_to_https
+    redirect_to protocol: "https://" if loadbalanced_configuration? && request.headers["X-Forwarded-Proto"] == "http"
+  end
 end
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -44,9 +44,6 @@ Rails.application.configure do
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = (ENV["ENABLE_SSL"] == "true")

-  # Force SSL for loadbalancer configurations.
-  config.force_ssl = true if ENV["LOADBALANCER_ENDPOINT"].present? && ENV["LOADBALANCER_SECRET"].present?
-
  # Use the lowest log level to ensure availability of diagnostic information
  # when problems arise.
  config.log_level = :debug