force_ssl在Rails中做什么? [英] What does force_ssl do in Rails?

问题描述

在先前的问题中我发现我应该设置nginx ssl终止并且不让Rails处理加密的数据.

In a previous question I found out that I should be setting nginx ssl termination and not having Rails process encrypted data.

那为什么存在以下内容?

Then why does the following exist?

config.force_ssl = true

我在生产配置文件中看到此注释.但是，如果期望nginx将处理所有ssl内容，以便我的rails应用程序不处理加密数据，那么config.force_ssl = true会做什么?

I see this commented out in the production config file. But if the expectation is that nginx will handle all the ssl stuff so that my rails app doesn't deal with encrypted data then what does config.force_ssl = true do?

如果我知道我将一直使用nginx，是否应该在生产中将其保留为注释状态?

Should I leave it commented out in production if I know I will always be using nginx?

推荐答案

并不强制您的浏览器将HTTP重定向到HTTPS.它还将您的cookie设置为标记为安全"，并启用 HSTS ，每一个都是防止SSL剥离的很好的保护措施.

It doesn't just force your browser to redirect HTTP to HTTPS. It also sets your cookies to be marked "secure", and it enables HSTS, each of which are very good protections against SSL stripping.

即使HTTPS通过" https://example.com/yourapp "保护您的应用免受MITM攻击，如果有人在您的客户端和服务器之间进行访问，他们可以轻松地使您访问" http://example.com/yourapp".由于没有上述两种保护措施，您的浏览器会很高兴将会话cookie发送给执行MITM的人员.

Even though HTTPS protects your app at "https://example.com/yourapp" against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit "http://example.com/yourapp". With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.

这篇关于force_ssl在Rails中做什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！