带有HTTPS + ELB的Rails InvalidAuthenticityToken [英] Rails InvalidAuthenticityToken with HTTPS + ELB

问题描述

我正在尝试使HTTPS可以在我的网站上正常工作，但是我正在为所有帖子请求获取 ActionController :: InvalidAuthenticityToken .我记录了 form_authenticity_param 和 form_authenticity_token ，它们实际上是不同的.

I'm trying to get HTTPS to work for my site, but I'm getting ActionController::InvalidAuthenticityToken for all post requests. I logged the form_authenticity_param and form_authenticity_tokenand they are in fact different.

SSL在Elastic Load Balancer上解析，并且非SSL请求发送到Web应用程序.预期的CSRF令牌存储在基于cookie的会话中，因此HTTP和HTTPS的会话似乎期望使用不同的令牌.在网站上使用HTTP时，发布/发布请求可以正常工作.

The SSL is resolved at the Elastic Load Balancer and a non-SSL request is sent to the web app. The expected CSRF token is stored in the cookie-based session, so the sessions for HTTP and HTTPS appear to expect different tokens. When using HTTP on the site, the post/put requests work fine.

我在这个问题上停留了一段时间.任何建议都会有帮助

I've been stuck on this problem for a bit. Any advice would be helpful

推荐答案

我也遇到了同样的问题，但这不是问题.

I have the same problem, but it's not rails.

我通过在nginx.config中添加 proxy_set_header X-Forwarded-Proto https; 来解决此问题

I fixed the problem by add proxy_set_header X-Forwarded-Proto https; in my nginx.config

  location @videos {
    proxy_pass http://videos;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }

这篇关于带有HTTPS + ELB的Rails InvalidAuthenticityToken的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！