Why am I getting infinite redirect loop with force_ssl in my Rails app?

Question

I want to have my API controller use SSL, so I added another listen directive to my nginx.conf

upstream unicorn {
  server unix:/tmp/unicorn.foo.sock fail_ti         


        

Answer 1

You're not forwarding any information about whether this request was an HTTPS-terminated request or not. Normally, in a server, the "ssl on;" directive will set these headers, but you're using a combined block.

Rack (and force_ssl) determines SSL by:

• If the request came in on port 443 (this is likely not being passed back to Unicorn from nginx)
• If ENV['HTTPS'] == "on"
• If the X-Forwarded-Proto header == "HTTPS"

See the force_ssl source for the full story.

Since you're using a combined block, you want to use the third form. Try:

proxy_set_header X-Forwarded-Proto $scheme;

in your server or location block per the nginx documentation.

This will set the header to "http" when you come in on a port 80 request, and set it to "https" when you come in on a 443 request.

Answer 2

Try setting this directive in your nginx location @unicorn block:

proxy_set_header X-Forwarded-Proto https;

I had this same issue and investigating the Rack middleware handler (not force_ssl but similar) I could see that it was expecting that header to be set to determine if the request was already processed as being SSL by nginx.