I have a Rails 4 app, deployed on Heroku. I want my app to be served via pure HTTP, not HTTPS. So I haven't done anything special to configure HTTPS redirect (at least I think so). But nevertheless,
my app got a redirect to https every time I visit it. It behaves the same way in both cases, via subdomain.herokuapp.com and via my-subdomain.mydomain.tld, e.g. prepends https:// to the address. Which in turn (naturally) causes browser warnings about security.
Can I disable such behaviour?
By the way, mydomain.tld and www.mydomain.tld both work without this strange redirection, as well as a dummy app generated just for this purpose.
It caused by config.force_ssl = true in production.rb
Related
I face the same situation, except that my framework is Ruby on Rails 4.2.6 (Ruby version 2.2.4)
I have do exactly the solution told, but when I try to login, always redirect to root page.(still not logined)
And I checked server log, login status was 200 success.
another clue is that when I go to the page which not enable
before_action :authenticate_user!
everything works fine. (domain not redirect to elb domain)
I think the problem is in the login part, but still not find the exact bug and solution.
How to make ec2 catch the host we expected (example.com), not elb host (elb.example.com)
Configure the CloudFront Cache Behavior settings to whitelist the Host header for forwarding. You may also need to whitelist one or more cookies, and possibly query strings. CloudFront forwards minimal headers by default, and no query parameters or cookies.
As a rule, the more things you forward, the lower your cache hit ratio... but obviously certain things must be forwarded unless the site is entirely static.
I have a Rails application hosted on Heroku and I am preparing to deploy another application that will use the same session cookie. Let's assume that main application is hosted at app.mycompany.com and the new application will be hosted at reports.mycompany.com. I've setup session cookies in both apps with cookie domain .mycompany.com and everything works ok. I've modified /etc/hosts to test those settings on my local machine.
Since everything worked fine on my local machine I wanted to test it on our staging environment, which is hosted at mycompany-staging.herokuapp.com. For this app I've set cookie domain to .herokuapp.com. And now it does not work. It is not possible to login. From inspector it looks like correct Set-Cookie header is sent from the server, but the browser never send this cookie back on request.
The same thing happens on my local machine when pointing mycompany-staging.herokuapp.com to 127.0.0.1. This happens only when I use herokuapp.com. Everything else works fine or at least couple of different domains work fine, including herokuapp2.com.
I am really confused. It looks like there is some cache issue, but I don't know where exactly. I am testing this mostly on Chrome with incognito mode, but I also tried Safari with the same problem.
Can anyone point me in the right direction? Or maybe I am missing something obvious.
This is because herokuapp.com is included in the Mozilla Foundation’s Public Suffix List. Cookie with domain *.herokuapp.com cannot be set any more. Refer to doc in devcenter.heroku.com:
herokuapp.com is included in the Mozilla Foundation’s Public Suffix List. This list is used in recent versions of several browsers, such as Firefox, Chrome and Opera, to limit how broadly a cookie may be scoped. In other words, in browsers that support the functionality, applications in the herokuapp.com domain are prevented from setting cookies for *.herokuapp.com. Note that *.herokuapp.com cookies can currently be set in Internet Explorer, but this behavior should not be relied upon and may change in the future.
So i just joined a company that is changing DNS name. So, in order to redirect traffic from www.oldsite.com to newsite.com, i needed to do a redirection (301) on the DNS register. Of course, also removed oldsite.com from the heroku's app settings. For the bare oldsite.com, i needed to create a second rails app called oldsite-redirect so when https://oldsite.com is requested, it's redirected to https://newsite.com via javascript (window.location...).
I forgot to mention that somehow, all the http://oldsite.com requests were redirected in the browser to https://oldsite.com.
So on this second app, i loaded the oldsite's crts (otherwise https:// were raising a "domain doesn't match warning"), made the arrangements in DNS Config Panel, and now it's redirected without any problems. https://oldsite.com redirects to https://newsite.com and i didn't have to buy the SSL-Endpoint heroku's addon. So, why people buy it if you can serve https content without buying it?
Btw, i have been googling and yahooing and i haven't find such answer.
Also do you have any opinions/suggestion on my monkeypatch redirection?
Thanks in advance for your clarification.
I have a rails app that is running on heroku and am using Cloudflare Pro with their Full SSL to encrypt traffic between: User <-SSL-> Cloudflare <-SSL-> Heroku, as detailed in: http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/ .
I am also using the rack-ssl-enforcer gem to force all http requests to go through https.
This is working properly, except I have the following issues, by browser:
1) Firefox. I have to add a security exception the first visit to the site, getting the "This site is not trusted" warning. Once on the site, I also have the warning in the address bar:
2) Chrome: page loads first time, but the lock in the address bar has a warning triangle on it, when clicked displays:
Your connection is encrypted with 128-bit encryption. However, this
page includes other resources which are not secure. These resources
can be viewed by others while in transit, and can be modified by an
attacker to change the look of the page. The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and
uses ECDHE_RSA as the key exchange mechanism.
Safari: initially loads with https badge, but it immediately drops off
Is there a way to leverage Cloudflare SSL + piggyback of Heroku native SSL without running into these security warnings? If not, I don't see much value in the configuration.
My apologies for slinging erroneous accusations against Cloudflare and Heroku :-)
Turns out the issue was not the fault of either, but instead that images on the app (being served from AWS S3) were being served up without https.
If anyone runs into this situation, lessons learned across a wasted day:
S3 only lets you serve up content via https if you serve from your bucket's dedicated url: s3.amazonaws.com/your-bucket-name/etc..
a) I tried setting the bucket up for static website hosting, so I could use the url "your-bucket-name.your-url.s3-website-us-east-1.amazonaws.com/etc...", and then set up a CNAME within my DNS that sends "your-bucket-name.your-url" to "your-bucket-name.your-url.s3-website-us-east-1.amazonaws.com/etc...", to pretty up urls
b) this works, but AWS only lets you serve via https with your full url (s3.amazonaws.com/your-bucket-name/etc..) or *.s3-website-us-east-1.amazonaws.com/etc...", which doesnt work if you have a dot in your bucket name (your-bucket-name.your-url), which was required for me to do the CNAME redirect
If you want to use AWS CDN with https, on your custom domain, AWS' only option is CloudFront with a SSL certificate, which they charge $600/mo, per region. No thanks!
In the end, I sucked it up and have ugly image URLs that looks like: https://s3-website-us-east-1.amazonaws.com/mybucketname...", and using paperclip, I specify https: with ":s3_protocol => :https," in my model. Other than that all is working properly now.
I changed my CNAME Records as outlined in this link https://devcenter.heroku.com/articles/custom-domains. The redirect itself works, the issue is in Chrome (and I assume other browsers) It gives me a phishing alert.
This is probably not the site you are looking for!
You attempted to reach app.grewpr.com, but instead you actually reached a server i identifying itself as *.herokuapp.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of app.grewpr.com.
You should not proceed, especially if you have never seen this warning before for this site.
How would I fix this error? It also puts a red line through the https lock.
Since you're using HTTPS, you should follow slightly different DNS configuration instructions: https://devcenter.heroku.com/articles/ssl#configuredns
Had the same problem. Your custom domain app uses your host certificate. Whether buy SSL addon or if 'http' is ok for you then change ssl settings for your app. In "environments/production.rb" there must be following configuration "config.force_ssl = false" which by default is set to true. Had to reset Firefox to take effect. Other browsers were ok.