Handling SSL termination, passing appropriate headers

[hstaab]

Hello, I have MRSK setup on a couple EC2s and am looking to setup SSL termination using Cloudflare or a LB (ive actually done both separately to get familiar with mrsk and Traefik).

My app is running 7.0.4.3 so i cant use Rails 7.1's new assume_ssl feature for this case. What is the recommended way to configure Traefik to forward headers in this case?

Im running into ActionController::InvalidAuthenticityToken errors in particular because of the http/https URL difference.

I had something similar to the following working in the first version of MRSK released, however it no longer works. I am unsure why.

    labels:
      traefik.http.middlewares.polar-md.headers.customrequestheaders.X-Forwarded-Proto: https
      traefik.http.middlewares.polar-md.headers.customrequestheaders.X-Forwarded-Port: 443
      traefik.http.routers.polar.middlewares: polar-md@docker

Thanks in advance!

[jmonteiro]

If you're on Rails 7.0, you can simply inject Rails 7.1's assume_ssl middleware on your own.

Create a config/initializers/assume_ssl.rb with:

# When proxying through a load balancer that terminates SSL, the forwarded request will appear
# as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
# security target HTTP instead of HTTPS. This middleware makes the server assume that the
# proxy already terminated SSL, and that the request really is HTTPS.
class AssumeSSL
  def initialize(app)
    @app = app
  end

  def call(env)
    env["HTTPS"] = "on"
    env["HTTP_X_FORWARDED_PORT"] = 443
    env["HTTP_X_FORWARDED_PROTO"] = "https"
    env["rack.url_scheme"] = "https"

    @app.call(env)
  end
end

# TODO: delete this file once we're on Rails 7.1
Rails.application.config.middleware.insert_before(0, AssumeSSL) if Rails.env.production?

And restart your app. You should be good to go.

[hstaab]

Julio, thank you for the quick and very helpful response. In retrospect this seams rather obvious, though im sure it will be useful to others as well.

Now i'm wondering why my Traefik based solution no longer does the trick..

[curtisspendlove]

For any other dense people staying up way too late trying to get this to work:

This seems to require either some sort of load balancer (Digital Ocean or your preferred cloud provider).

If you want to cheap out on it (for dev, staging, QA, etc) you still need to have Traefik setup to handle the certs (such as through Let's Encrypt).

For Instance, you need this config (which is awesome thanks!) and you also need:

#112

I've added a few additional notes in there addressing some gotchas I ran into.

[hstaab]

For the folks on AWS, you can achieve similar results to the MRSK Hetzner screencast example by using a "Classic Load Balancer" and placing a single server (or more) behind it. The new AWS LBs require multiple servers and multiple AZs (which is silly).

[benbonnet]

can you link to the "MRSK Hetzner screencast" ?

[glaucocustodio]

I guess this one