HSTS and secure cookies w/o redirect?

[n3bulous]

Apologies if this is the wrong place to ask this question, but I couldn't find an answer on SO or in Issues.

Question not the sensibility, but we are moving to the following network scheme: Load Balancer (ELB, HTTPS) -> Firewall (HTTP) -> ELB (HTTP) -> Rails

We currently have one ELB and it terminates SSL which creates the appropriate header for Rails' force_ssl = true to work properly. The new scheme doesn't provide that header, and the HTTPS redirect is handled by the firewall. We would still like to have HSTS and secure cookies enabled.

After reading through Rails' ssl.rb and ssl-enforcer.rb, it doesn't look possible to avoid the redirect. Have I missed something, is this "impossible", or just stupid (suck it up and put the cert on all the things)?

[tobmatth]

I'm not sure i got your point and must admit that i have very little experience with ELB, but if rack-ssl-enforcer is not able to determine if the request's scheme is HTTP or HTTPS due to missing headers, you will end up in an infinite redirect loop.

[n3bulous]

Thanks for looking. I was wondering if I'd missed a way to enable HSTS and secure cookies w/o rack-ssl-enforcer detecting HTTPS and whether it would make sense for a PR to accomplish that.

From our research, it looks like the 2nd, internal ELB will not forward the headers, so we've gone w/ placing the SSL certificate on all devices up to and including the internal load balancer. A hassle because one of the devices isn't under our control, but easier than adding a questionable hack to rack.