Home/ Questions/Q 6591281
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T17:24:17+00:00

I’m moving an app to heroku and am having some issues with ssl and

  • 0

I’m moving an app to heroku and am having some issues with ssl and redirects.

I’m on rails 3.1 and I’ve tried forcing ssl with middleware in the environments production.rb. I’ve all tried adding it to the application controller.

The problem is, when I do a full site force of ssl, I’m unable to redirect to www before it hits the SSL requirement. This is important because a user would be shown a bad SSL cert warning if they access https://mydomain.com. If they proceed, they then get redirect to ‘www’.

SSL forcing is working, redirecting to ‘www’ subdomain is working, I just need to do the redirect first.

Any ideas?

Per Nathan’s Comment:

I had an imperfect solution. My root_path is not forcing ssl. All parts with sensitive info are forcing it. Upon arriving, all traffic is directed to www with this in my routes.rb:

constraints(:host => "domain.com") do
  match "(*x)" => redirect { |params, request|
    URI.parse(request.url).tap { |x| x.host = "www.domain.com" }.to_s
  }
  end

This could hide most of the issues, as by the time to user clicked on sign in or anything else, they were now at the www domain. The browser will not giving a warning about certificates. This worked fine for this certain project. Another project I ended up paying the big bucks for a signed wild card cert.

Sorry, not a real solution. If you go to https://domain.com/forcedsslpath the project still gives the security warnings.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since your 301 is being sent by the application, and the request can’t even reach the application before hitting the middleware (on which rack-ssl runs), your only solutions are to change the middleware or to do the redirect before it even hits the middleware.

    For the latter, you’d have to poke around Heroku. I don’t use it myself. On a VPS deployment, you’d just add the redirect on your forward-facing web server (Apache, nginx) before it even hit the middleware. This seems like a common case, so I imagine Heroku might have something there for you.

    For the former, it shouldn’t be hard. The rack-ssl middleware is very, very simple, and it shouldn’t be hard to monkeypatch it to suit your needs.

    https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L58

    I imagine that something like url.host = "www.myhost.com" might be what you’d want (although you can probably tell there are probably more FQDN-agnostic ways to do it).

    • 0