I see the following error in Terminal when attempting to run a Ruby on Rails app.
HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>
2017-03-12 13:10:02 -0400: ENV: {"rack.version"=>[1, 3], "rack.errors"=>#<IO:<STDERR>>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 3.4.0 Owl Bowl Brawl", "GATEWAY_INTERFACE"=>"CGI/1.2"}
The browser error:
This site can’t provide a secure connection. localhost sent an invalid response. ERR_SSL_PROTOCOL_ERROR*
I have tried the following
Clearing browser cache and restarting
Reverting back to an old commit in GIT that was working at the time
Restarting terminal
Running a different rails app that was functional
Here are some possible solutions.
Make sure you are connecting through http://localhost:3000 and not https://localhost:3000.
If the browser redirects to HTTPS and it's Google Chrome, try this solution that addresses an HSTS problem: https://stackoverflow.com/a/28586593
Make sure you do not have the production environment (if that's what you're serving) forcing HTTPS. If that's the problem, comment this out or change true to false:
config/environments/production.rb
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
seems like you are trying to run HTTPS on your local. You need to have a TLS toolkit (like openSSL) installed on your local.
OPENSSL for example.
after you made sure of that, and if still not working, maybe you can find you're answer in the next Github issue. Seems like a bug with Puma gem.
GITHUB ISSUE TALK
For those reading this in the future, consider the following:
Did you change your server in your Gemfile. e.g. from Puma to Thin?
Have you set up an SSL certificate?
Are you starting your webserver with SSL certificate flags?
Is SSL turned on in your development/production environment - and what environment are you invoking?
If you are ok with turning off SSL in your development environment you can do so by going to:
config/environments/development.rb and configuring:
config.force_ssl = false
Here is some code that works for me, using puma, that invokes SSL certification (locally). I have created my certificates and have dumped it in the relevant location:
rails s -b 'ssl://localhost:3000?key=./.ssl/localhost.key&cert=./.ssl/localhost.crt'
When I want to run it in a production environment from my PC I using the following:
rails s -b 'ssl://localhost:3000?key=./.ssl/localhost.key&cert=./.ssl/localhost.crt' -e production
HTH
Access the app using a different browser, or if you are in Chrome access it in Incognito mode. After this the error did not show in any browser again. Remember to remove the config.force_ssl or set it to false in the development.rb file first.
Encountered this today after adding and then removing the config.force_ssl = true config in our Rails 6 app's development.rb file. Tried to access the app in localhost, in a Chrome browser, and the same error showed. Restared rails server several times, to no avail.
The accessing it in different browser, where the force ssl version of the app client was never opened, worked.
In my case it was silly mistake I started server on http and my url was pointing to https.
I hope it would save someone's time ;)
Faced this error as well,
If the above solutions don't work, do a quick check to see if you have this meta tag in your application.html.erb
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
This will force Google Chrome to redirect localhost to HTTPS
If you are setting Content-Security-Policy in your application via action_dispatch.default_headers:
config.action_dispatch.default_headers = ({
'Content-Security-Policy' => "default-src 'self' https:;\
font-src 'self' https: data:;\
img-src 'self' https: data: blob:;\
object-src 'self';\
script-src 'self' https: 'unsafe-inline' 'unsafe-eval';\
style-src 'self' https: 'unsafe-inline';\
upgrade-insecure-requests;\
frame-ancestors *"
})
Make sure to override that setting in your development environment to add http: options to these. Like so:
config.action_dispatch.default_headers = ({
'Content-Security-Policy' => "default-src 'self' http: https:;\
font-src 'self' http: https: data:;\
img-src 'self' http: https: data: blob:;\
object-src 'self';\
script-src 'self' http: https: 'unsafe-inline' 'unsafe-eval';\
style-src 'self' http: https: 'unsafe-inline';\
frame-ancestors *"
})
Related
I'm trying to use Workbox to add PWA functionality to my website. I'm following the Get Started guide, but I'm not getting far. When I run the website in Chrome I get the following error:
Refused to load the script 'https://storage.googleapis.com/workbox-cdn/releases/3.6.1/workbox-sw.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
Per the docs, I am importing workbox-sw.js in my service worker file that is in my wwwroot folder with the following line:
importScripts('https://storage.googleapis.com/workbox-cdn/releases/3.6.1/workbox-sw.js');
The "Refused to load..." error occurs on that import statement.
How can I get rid of this error?
You have a CSP configuration that prevents loading scripts from third-party origins and then you are trying to load a script from Google. You either need to allow the script to load or load the page from your site.
Update the CSP header to allow the Google domain by adding script-src 'self' 'unsafe-eval' https://storage.googleapis.com.
Using Local Workbox Files Instead of CDN
Goal:
get ssl working in development mode (ssl works fine in production on heroku)
My setup:
Ubuntu 16.04
Rails 5.0.1
Puma 3.6.2
config/environments/development.rb
config.force_ssl = true
I tried following along with this puma ssl how-to:
https://gist.github.com/tadast/9932075
(I am not sure what github procol is regarding pasting above link content here vs referencing it)
if I then use the command line method to run puma
puma -b 'ssl://127.0.0.1:3000?key=/home/sean/.ssh/server.key&cert=/home/sean/.ssh/server.crt'
I am getting Chrome's 'Not Secure' error when trying to access via the browser after attempting to add certificate to ubuntu.
sudo cp server.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Should I see 1 added here? I also tried copying server.crt to /etc/ssl/certs
If I proceed past chrome block I get console error:
SSL error, peer: 127.0.0.1, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request - 336027804>
Instead of using puma on command line I tried adding to config/initializers/puma.rb
bind 'ssl://127.0.0.1:3000?key=/home/sean/.ssh/server.key&cert=/home/sean/.ssh/server.crt'
and starting:
rails s
I do not get any page load but console shows:
HTTP parse error, malformed request (): #
2017-01-23 10:04:43 -0500: ENV: {"rack.version"=>[1, 3], "rack.errors"=>#>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 3.6.2 Sleepy Sunday Serenity", "GATEWAY_INTERFACE"=>"CGI/1.2"}
I also tried downgrading puma to 3.5.2
Where am I going wrong?
I solved this problem by enabling mod_ssl in Apache server, and adding some configuration for Apache to listen on 443 port. You can use Nginx too in the front of Puma to communicate with sockets. There is also way to solve this problem by installing Puma-dev, which automatically makes the apps available via SSL. I will describe the way I did it, it may help you/someone:
I made self-signed certificate first, and after that new virtual host for my project, for example: site1.local. Then I enabled mod_ssl and default-ssl.conf. I added in my virtualhost port 443 and forward secrecy something like:
<VirtualHost *:443>
ServerName site1.local
SSLEngine on
SSLCertificateFile "/home/user/.ssh/server.crt"
SSLCertificateKeyFile "/home/user/.ssh/server.key"
DocumentRoot /var/www/site1.local/public
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
</VirtualHost>
When I restarted Apache server, I was still getting google chrome's unsafe website warning. I needed to add manually Root certificate in chrome: chrome://settings/certificates, then menu tab Authorities and import button. I checked all 3 checkboxes before importing server.crt file. Once I finished with importing , I restarted google chrome and I got green https lock in chrome's search bar.
Some refs:
https://leehblue.com/add-self-signed-ssl-google-chrome-ubuntu-16-04/
Getting Chrome to accept self-signed localhost certificate
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-puma-and-nginx-on-ubuntu-14-04
I hope it helps
After a code break, I got this following error. Then I shut down the server using ctl + c and ensured that there is no process running of ruby or rails. Yet when I try to run server it says the same error:
2017-01-03 13:08:24 +0600: HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>
2017-01-03 13:08:24 +0600: ENV: {"rack.version"=>[1, 3], "rack.errors"=>#<IO:<STDERR>>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 3.6.0 Sleepy Sunday Serenity", "GATEWAY_INTERFACE"=>"CGI/1.2"}
Here are some possible solutions.
Make sure you are connecting through http://localhost:3000 and not https://localhost:3000.
If the browser redirects to HTTPS, try clearing your browser cache and cookies.
If the browser still redirects to HTTPS and it's Google Chrome, try this solution that addresses an HSTS problem: https://stackoverflow.com/a/28586593
Make sure you do not have the production environment (if that's what you're serving) forcing HTTPS. If that's the problem, comment this out:
in config/environments/production.rb
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
I had this issue when I accidentally visited localhost:3000, while my localhost project is configured in Nginx to have an TLS certificate and a domain name in /etc/hosts.
I have a rails app that I had built on Heroku and I had configured it to use SSL there. Now I'm moving to AWS EC2 and I want to get a version of my app working without SSL. Once that is done I will add the SSL functionality later.
My stack is Puma + Nginx + PostgreSQL and I'm working with Rails 4.2.4, Ruby 2.2.3 and Capistrano 3.4.0.
I remember in my app that I had once inserted the line
config.force_ssl = true
in config/environments/production.rb. I commented this out expecting my app to go back to working well with http. But it didn't: even after commenting that line, whenever I visit my EC2 public IP (52.35.82.113) the request gets sent on port 80 (http) and gets redirected to port 443 (https).
This can be seen more clearly when I run curl -v http://localhost on my EC2 instance it returns:
* Rebuilt URL to: http://localhost/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Sat, 12 Dec 2015 12:22:56 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://localhost/
<
* Connection #0 to host localhost left intact
I'm not very experienced when it comes to this stuff. I thought initially the problem would be with my Nginx configuration, in my previous question here it was suggested to me that there was nothing wrong with my Nginx config and that the redirect was coming from Rails. I suspect this is the case since I can't see anything in Nginx that could be enforcing the redirect, but if you think the issue might be there then you can see a lot of the relevant code in the link above.
What else in Rails apart from the force_ssl printed above could be causing the redirect?
Thanks for your help everyone. Let me know if you have any questions or need more info!
This gist suggests it might be because of an HSTS header:
So if you enabled force_ssl once, even [if] you change the config value to false later, the browser you used to open you[r] app before will still remember this website (using domain to identify) [and] require [you] to use HTTPS, and redirect you to HTTPS connection automatically.
According to this page you can remove your HSTS entries by going to chrome://net-internals/#hsts in Chrome and about:permissions in Firefox and deleting ~/Library/Cookies/HSTS.plist in Safari.
In Rails you can force site wide SSL using a config file(like you were doing) or you can pick which endpoints will use SSL and use the force_ssl class method at the controller level.
Maybe you used that method on your application_controller.rb or which ever controller is serving the root path and forgot about it. You may find an exemple of such mechanism within Rails docs: http://api.rubyonrails.org/classes/ActionController/ForceSSL/ClassMethods.html
force_ssl(options = {}) Link Force the request to this particular
controller or specified actions to be under HTTPS protocol.
If you need to disable this for any reason (e.g. development) then you
can use an :if or :unless condition.
class AccountsController < ApplicationController
force_ssl if: :ssl_configured?
def ssl_configured?
!Rails.env.development?
end
end
I tried before to comment this line in production server and it didn't change anything so instead of commenting just change true to false like:
config.force_ssl = false
I experienced this problem too (rails + puma + nginx). Every redirect_to was sent to https, even if coming from http.
In the vhost.conf there was this line:
proxy_set_header X-Forwarded-Proto https;
redirect_to worked properly after changing that to
proxy_set_header X-Forwarded-Proto http;
I had the same problem. Solution for me was:
Delete config.force_ssl = true from aplication.rb
For ubuntu Ctrl + Shift + Del => Clear browsing data
in my case this setting in nginx config was the reason of issue
proxy_set_header X-Forwarded-Ssl on;
make sure that your config does not contain same setting
Last week I tried to debug with SSL activated in webbrick, but I forget how to restore the settings to default(without SSL). Every time I visit a controller, now it shows:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
And below is the log from the console, can anyone help?
[2011-05-10 07:28:43] INFO WEBrick 1.3.1
[2011-05-10 07:28:43] INFO ruby 1.8.7 (2009-06-12) [universal-darwin10.0]
[2011-05-10 07:28:43] INFO WEBrick::HTTPServer#start: pid=62854 port=3000
[2011-05-10 07:28:58] ERROR bad Request-Line `UQM?x?ʾ???????c??B?????n???BU???*???98?5EDf32?A/??'.
I just ran into this same exact problem today. I added config.force_ssl = true to the application.rb file and got the above error. When I removed the line, the error still persisted.
I fixed it by clearing my browser cookies (Chrome in this case) and it works again. It seems the authentication information is saved in the cookie and something i that keeps reverting our requests to HTTPS but does not authenticate correctly so you get that error. Clearing the cookie solves that issue.
I had a similar issue but wasn't able to fix it by clearing cookies on Chrome (nor any other fixes like rake tmp:clear), and ended up switching to using thin with SSL enabled as suggested in this post:
https://stackoverflow.com/a/11614213
Added this to my Gemfile:
group :development do
gem "thin"
end
Then bundle and thin start --ssl.
I had to use rake tmp:sessions:clear (not just rake:tmp:clear) as well as clearing cookies in the browser to fix this issue.
Open Chrome Developer Tools, click and hold "page reload" button, you will see some options,pick "Empty Cache and Hard Reload". Did the trick for me.
Similarly I recieved the same error after adding config.force_ssl = true in my config/locales/application.rb file
To remedy an SSL error, simply edit Rails.application.config.session_store :cookie_store, key: '_app_sessions' in config/initializers/session_store.rb
Changing the '_app_sessions' name to anything else will allow you to start your rails server without ssl and without error